COUNTY OF SAN MATEO, CALIFORNIA
REQUEST FOR PROPOSAL
CORE CLINICAL HEALTH INFORMATION SYSTEM/
INPATIENT ELECTRONIC HEALTH RECORD
RFP # ISD 1805
Proposals must be submitted to:
San Mateo County
Information Services Department
Cyndy Chin, Administrative Assistant
222 W. 39th Avenue
San Mateo, California 94403
By 2:00 P.M. PST
February 4, 2011
This Page Intentionally Blank
Page 2 of 82
REQUEST FOR PROPOSALS
FOR
CORE CLINICAL HEALTH INFORMATION SYSTEM/
INPATIENT ELECTRONIC HEALTH RECORD
Condition of Submission
This Request for Proposals (RFP) is neither a commitment nor a contract of any kind.
The County of San Mateo reserves the right to pursue any and/or all ideas generated by
this request. The costs for developing the proposals are entirely the responsibility of the
proposers and shall not be reimbursed. The County reserves the right to reject any and
all proposals and/or terminate the RFP process if deemed in the best interest of the
County. The County reserves the right to waive any requirements of this RFP when it
determines that waiving a requirement is in the best interest of the County.
Government Code Sections 6550 et. seq., the “Public Record Act,” defines a public
record as any writing containing information relating to the conduct of the public
business. The Public Record Act provides that public records shall be disclosed upon
written request, and that any citizen has a right to inspect any public record, unless the
document is exempted from disclosure.
The County of San Mateo cannot represent or guarantee that any information submitted
in response to this RFP will be confidential. If the County receives a request for any
document submitted in response to this request, it will not assert any privileges that may
exist on behalf of the person or business entity submitting the proposal. It is the
responsibility of the person or business entity submitting the proposal to assert any
applicable privileges or reasons why the document should not be produced. The
County will attempt in a timely manner to inform the person or business entity that
submitted a proposal of the public records request in order to permit the person or
business entity to assert any applicable privileges.
Page 3 of 82
Contents
1. Purpose of the Request for Proposal
2. Timeline
3. General Conditions of Submission
4. Proposal Contents
5. Service Capabilities
6. Proposal Submission
7. Evaluation of Proposals
8. Protest Process
9. Contract Negotiation and Inability to Negotiate a Contract
Attachment: Sample County Contract Template, Supporting Materials &
Contractor Declaration
APPENDICES
Appendix A1 through Appendix F are required to be submitted with the
proposal.
APPENDIX A1 TECHNICAL REQUIREMENTS RESPONSE FORM FOR
CLIENT SERVER SOLUTION
APPENDIX A2 TECHNICAL REQUIREMENTS RESPONSE FORM FOR A
SaaS SOLUTION
APPENDIX B FUNCTIONALITY AND INTEGRATION RESPONSE FORM
APPENDIX C1 IMPLEMENTATION, PROJECT MANAGEMENT, TRAINING,
AND ON-GOING SUPPORT FOR A CLIENT SERVER
SOLUTION
APPENDIX C2 IMPLEMENTATION, PROJECT MANAGEMENT, TRAINING,
AND ON-GOING SUPPORT FOR A SaaS SOLUTION
APPENDIX D PROPOSAL COST RESPONSE FORM (Excel Spreadsheet)
APPENDIX E SaaS/ASP SECURITY ASSESSMENT CHECKLIST
APPENDIX F FUNCTIONAL REQUIREMENTS (Excel Spreadsheet)
Exhibit 1 CURRENT INTERFACE LIST
Page 4 of 82
1. Purpose of the Request for Proposal
INTRODUCTION
San Mateo Medical Center (SMMC) is requesting proposals from qualified suppliers to
provide, install, implement, support and maintain a software solution for a Core Health
Clinical Information System for inpatient care to achieve Meaningful Use of Certified
Electronic Health Record (EHR) Technology and manage and support the delivery of
efficient, cost-effective, and high quality healthcare within the organization.
We are also querying vendors who respond to this RFP regarding their ability to
integrate the various existing systems outlined in this RFP into an integrated EHR
package that will provide continuity of care for our patients across the entire enterprise.
This document provides background on the SMMC organization, vendor selection
process, SMMC’s functional and technical requirements, and other pertinent
information.
Additional requirements of the software include:
 Must be HIPAA compliant.
 Must have secure web based access.
 Must generate reports required for state and payor requirements.
 Must generate letters to the referring provider/agency as well as other
notification tools to complete the transfer process.
 Must facilitate compliance by SMMC of all applicable laws and regulations.
 At the time of implementation, must be certified under the Office of the
National Coordinator for Health IT rules for Meaningful Use.
SMMC will consider an on-site client server solution or a Software as a Service (SaaS)
solution. However, the proposed solution must be a proven base system. SMMC is not
interested in beta systems or purchasing professional services to design and develop a
system. The integrated solution must meet the technical, support, service, and
business requirements as defined in this RFP.
This project will be under the direction of the SMMC Executive Leadership Group and
SMMC Information Technology Governance Committee and it will be coordinated
through the Core Clinical Health RFP Evaluation Committee.
1.2 Service Providers
The County welcomes proposals from all qualified service providers. The County may,
at its sole discretion, enter into contract with one or more qualified service providers.
1.3 Contact with County Employees
Page 5 of 82
As of the issuance date of this RFP and continuing until the final date for submission of
proposals, all proposers are specifically directed not to hold meetings, conferences or
technical discussions with any County employee for purposes of responding to this
RFP except as otherwise permitted by this RFP. Any proposer found to be acting in
any way contrary to this directive may result in the proposer being disqualified from
entering into any contract that may result from this RFP.
Proposers should submit questions or concerns about the process as outlined in
Paragraph 2.1. The proposer should not otherwise ask any County employees
questions about the RFP or related issues, either orally or by written communication.
1.4 Background
San Mateo Medical Center
SMMC is a fully accredited 448 bed acute and long-term care hospital and outlying clinic
system owned and operated by the County of San Mateo. The system has grown over
the years and today provides inpatient and outpatient care to the communities within
San Mateo County in Northern California.
SMMC employs its own physicians and is recognized as providing services which
include acute inpatient care, long-term care facility and services, Psychiatric Emergency
Service, inpatient psychiatric services and operation of a comprehensive medical
emergency room. Inpatient services include medical/surgical care as well as specialized
services such as psychiatry and therapies such as recreational services for Long Term
Care patients. Although we see OB patients in our clinics, SMMC does not have a
Labor and Delivery service. In addition, although we do serve pediatric patients, we do
not have a dedicated pediatric unit; the great majority of our inpatients are adult.
Inpatient units at the Main campus include two Medical/Surgical units totaling 62 beds, a
7-bed ICU and a 34 bed inpatient psychiatric unit. The other 345 beds are for long-term
care patients, 64 beds in 2 units on the main campus and 281 beds at the Burlingame
facility; at this time one of the long-term care units at the main campus is closed.
Proposals should include information about data for all types of beds including the long-
term care beds, especially around documentation systems and integration of that data
within a comprehensive patient record.
Outpatient services include both primary care and specialty clinics located at SMMC and
at satellite facilities throughout the county.
Further information about SMMC can be obtained at their website:
www.sanmateomedicalcenter.org
SMMC Information Services Department
San Mateo Medical Center IT Vision
The SMMC Information Technology vision is a paperless/paper-lite, automated,
integrated delivery system that traverses the continuum of care. The goal is to leverage
systems and technology to improve patient care, physician and employee satisfaction
Page 6 of 82
and patient safety and to support effective revenue management to create a distinct
competitive advantage.
Specifically SMMC seeks to deploy Information Technology tools to:
 Advance patient safety and quality of care
 Improve coordination of care across the continuum
 Enhance patient, family and staff satisfaction
 Improve the delivery of timely, efficient and cost-effective care
 Optimize “Revenue Cycle” processes
 Enhance evidence-based clinical and administrative decision making
 Ensure compliance with all regulatory and accreditation standards
Two key drivers will play a major role in the sequencing and timing of the deployment of
Information Technology tools/solutions to achieve these goals:
 Both the clinic system and the SMMC Emergency Department (ED) are currently
using EHR technology; eClinicalWorks is being used by all primary and specialty
care clinics and Pulsecheck from Picis is the ED system. Data from all systems
must be available to all providers across the Health system.
 The ability to meet the ARRA (Americans Recovery and Reinvestment Act)
Meaningful Use criteria in order to maximize the incentive award is critical to the
funding of this initiative and must be considered in the planned scope and
approach of the implementation.
SMMC Information Services
Information systems and technology for SMMC is centralized in the County’s Information
Services Department (ISD), which is responsible for all systems, planning, development
and support. Business units comprising ISD are:
 Application Services – provides a comprehensive array of services
o Strategy
o Solutions
o Sourcing
o Support
 Technical Services
o Data Center Operations
o Operations
o Customer Service
o Field Support
Page 7 of 82
Technical Environment
Technical Standards – Intel Platform
SERVER
Operating system Windows Server 2003-2008/Windows Active Directory
Intel Dual Core 3.0 GHZ – 2MB cache, fiber/GBE NIC
Hardware (redundant), Integration to an EMC Clarion SAN is via fiber
connectivity.
Backup CommVault and/or Tivoli Storage Manager
Server redundancy/cluster Depends on application
Disk array Typically RAID 5
DESKTOP/LAPTOP HARDWARE
Mid-level PC with 17” monitor Dell Optiplex Ultra small form factor PC
Monitor settings 1024 x 768/ high color
Laptop Dell models
DESKTOP/LAPTOP SOFTWARE
Operating System Windows XP with Service Pack 2/3
Office applications Microsoft Office 2003 Professional, SP2
Email Novell Groupwise
Terminal emulation Attachmate
PDF reader Adobe Acrobat Reader 7.0
Desktop database Microsoft Access 2003
Internet browser Microsoft Internet Explorer 6.0/7.0
Antivirus McAfee
Java Java Version 1.4.x
Encryption – Laptop Only Guardian Edge
PRINTERS
HP LaserJet – Group - Mid-range printer is 4250TN
Laser HP LaserJet – MFP is HP 4345TN
HP LaserJet – standalone is HP2105D
Impact Not supported
Label Zebra with network connectivity
Network interface HP- Internal Jet Direct
Technical Standards – Proprietary Platform (Midrange)
SERVER
Operating system AIX , OS400, Sun Solaris
64bit processor, connectivity to SAN a must, dual NIC,
Hardware redundant power supply. Manufacturer configuration approval
required.
Backup Internal for OS, integration into enterprise backup required.
Page 8 of 82
SMMC ISD uses CommVault and Tivoli Storage Manager.
Server redundancy Depends on application
Disk array Depends on application
Virtualization Supported based on application
COMMUNICATION
Protocol TCP/IP
Topology Ethernet
Routers/ switches Cisco
Bandwidth – network Gigabit (sx/lx)
Bandwidth – to the desktop 10/100 MB/ second
Backbone Fiber optic
Cable to the desktop Category 5e UTP with RJ45 connections
REMOTE AUTHENTICATION/SUPPORT
Cisco VPN/SSL
UPS
Must specify requirements from manufacturer. Computer room has UPS.
There are two data centers available, one at the Medical Center and the other at the County
Center in Redwood City. Both support virtualization and are connected through a robust WAN.
County clinics are networked via the AT&T Opteman solution.
There is a wireless network in place supported by Cisco hardware; standard is 802.1x.
2. Timeline
The following timeline will be followed for this RFP
1) Release of RFP Mon 12-20-10
2) Deadline for written questions Wed 1-12-11 2PM PST
3) Answers to written questions Thurs 1-20-11
4) Proposal Due Date Fri 2-4-11 2PM PST
5) Start Review of Proposals Mon 2-7-11
6) Recommendation to ISD Director Fri 3-4-11
7) Last Date to Submit Protest Fri 3-18-11 2PM PST
8) Determination of Protest Mon 3-28-11
9) Board Approval To Be Determined
10) Contract Start Date To Be Determined
Page 9 of 82
2.1 Submittal of Questions
Proposers are encouraged to submit written questions about this RFP. Questions are
to be received at the County by 2PM, PST on Wed, Jan 12, 2011. Questions shall
reference this RFP by number and be in writing and faxed or emailed to:
Cyndy Chin, Administrative Assistant
Email: CChin@co.sanmateo.ca.us
FAX: 650-627-9160
Answers to questions will be distributed by fax or email no later than Thurs, Jan. 20,
2011, to all who receive a copy of this RFP.
3. General Conditions of Submission
The submitted proposal shall be used to determine the proposer’s capability of
rendering the services to be provided. The failure of a proposer to fully comply with the
instructions in this RFP may eliminate its proposal from further evaluation. The County
reserves the sole right to evaluate the contents of proposals submitted in response to
this RFP and to select one or more successful contractor(s) or none at all. The County
reserves the right to waive any requirements of this RFP when it determines that
waiving a requirement is in the best interest of the County. The proposal is to include
contact information, including principle contacts and officers, main and local business
addresses, tax identification number, voice and fax phone numbers, and email address.
The selected proposal’s content will be included as an exhibit in the final contract.
4. Proposal Contents
4.1 Service Requirements
Project Application Scope and Description
The primary objective of this project is to identify an integrated clinical information system
solution from a single vendor of choice to support the delivery of inpatient care at SMMC.
Consideration will also be given to the comprehensive scope of applications within a
vendor’s offerings to allow SMMC to move towards a fully integrated Hospital
Information/Clinical Information (HIS/CIS) environment in the future. Integration of the
various EHR “pieces” is critical to having a user-friendly solution; this is a key piece of the
proposal.
SMMC is requesting proposals for an integrated solution that supports the following specific
applications/functional areas:
Page 10 Applications/Functionality
Hospital-based Core Clinical of 82
 Provider Order Entry (CPOE) for all services
 Clinical Decision Support (CDS)
 Nursing and Ancillary Clinical Documentation (assessment, care plans)
 Multidisciplinary Clinical Documentation (care providers including MDs)
 Intensive Care Services (ICU)
 Peri-Operative services Documentation
 Pharmacy / Medication Management
 Infusion Center Management (Chemotherapy only, no Radiation
Therapy)
 Telemetry and Patient Monitor Integration
Additional Support Applications/Functionality
 Enterprise Document Management System (EDMS)
 Reporting Tools
Possible Future Applications
 Referral Management System
 Affiliated Physician Portal
 Patient Portal
 Personal Health Record
SMMC’s patient mix is broad and will require functionality that supports multiple care
delivery settings including inpatient acute and critical care for adults and children, inpatient
and outpatient surgery, long-term care, inpatient psychiatric care as well as support for
respiratory therapy, rehabilitation and pharmacy services.
SMMC is committed to selecting an information system that supports the development of
evidence based care and promotes and tracks quality outcomes. To that end, this RFP
contains requirements that support the building of an infrastructure to support improvement
in core measures and other quality indicators, such as The Joint Commission Patient Safety
goals and IHI quality indicators.
Lastly, the goal of achieving a paperless/paper-lite patient chart environment must be
supported through a complementary document management/imaging solution. It is also
SMMC’s intention to utilize the Document Management solution on an enterprise-wide basis
beyond the integration with patient-centric clinical systems. Initially this will include the
Patient Registration and Patient Business Services (PBS) departments and expand beyond
that as opportunities arise.
Various clinical systems will remain unchanged within the SMMC organization and
integration with these must be addressed to ensure a comprehensive view of a patient’s
care delivery. The clinical systems that will remain in place and require integration with your
proposed solution include (at a minimum):
 Picis Emergency Department Information System (Pulsecheck)
 Siemens Novius Laboratory Information System
 Siemens Radiology Information System
 eClinicalWorks Ambulatory EMR
Page 11 of 82
There are several in-place systems that may be evaluated for replacement as part of this
proposal:
 ResQ: Resource and OR scheduling
 Quadramed: Acuity
 Dietary on-line: Food and nutrition orders are not done through Invision but through
an on-line program developed in-house
 Restraints: Restraint protocols are managed through an in-house developed
program
 Siemens Pharmacy Information System (inpatient) –SMMC would prefer to keep this
system in place; however, because CPOE and Medication Administration and
Reconciliation are very dependent upon the inpatient Pharmacy, there might be a
need to replace it.
Other systems which will be key to a full patient record include Softmed in the Health
Information Management (HIM) department and Achieve, used in the Long Term care units.
The implementation will also require integration of your proposed clinical solution with the
following revenue cycle incumbent solutions at SMMC (a current list of interfaced systems
and applications can be found in Exhibit 1):
 eClinicalWorks—enterprise patient scheduling
 Invision – Patient Management and Patient Accounting
 SoftMed – HIM
In addition, the integration of other EHR systems throughout the San Mateo County Health
system must be considered. The need of all providers across the Health System to share
data in order to improve patient care is great. At this time, the primary system is an Avatar
(Netsmart) EHR system currently in place in the Behavioral Health division and soon to be
implemented within Family Health.
Based on an accepted proposal, there may also be requirements for data conversions or
additional interfaces to/ from various existing systems. This will be discussed further after
proposal review.
SMMC ASSUMPTIONS
The system will include the following components:
 Production, Test and Training Environments
 User Training
 Integration with existing clinical systems
Planning and Volume Statistics
The data below represents the key clinical and business statistics for SMMC. This
information is intended to be used as a reference to assist in the completion of your
response including pricing, sizing of processor(s), main memory, disk storage, and
necessary subsystems/third-party software.
Page 12 of 82
San Mateo Medical Center Operational Data
FY09-10 Projected
Item Period Ending (within 3 years)
6/30/10
Total Number of Beds 448 448
Number of Beds by Specialty
Medical/Surgical 62 62
ICU/CCU 7 7
Psychiatric 34 34
Long Term Care (LTC) 345 345
Number of Operating Rooms 3 4
Annual Discharges-Acute Care 2795 3075
Annual Inpatient Days-Acute Care 12396 13635
Average LOS-Acute Care 4.4 4.5
Annual Discharges-Psych 826 908
Annual Inpatient Days-Psych 9746 10720
Average LOS-Psych 11.8 11.8
Annual Discharges-LTC 479 546
Annual Inpatient Days-LTC 102957 113252
Average LOS-LTC 215 215
Annual ED Visits 35515 39066
Annual Psych Emergency Visits 3494 3843
Annual Hospital Outpatient Visits (excluding
ED & Same Days) 238572 262429
Number of satellite clinic sites 9 9
Number of Physicians On-staff 150 150
Planned Concurrent Users 600 600
4.2 History/Organizational Background
The proposal should describe the following: the proposer’s company’s history, mission,
programs, and services; administrative structure; and experience, including length of
time in providing similar services. Please include any past experience with local
government agencies. Also, describe how this program will fit into your overall
organization. Attach an organizational chart of your San Francisco/Bay Area region
operation.
Page 13 of 82
Please use the format below for this information.
PROPOSER’S CORPORATE INFORMATION
1. EXECUTIVE SUMMARY
Include an executive summary which should be a one or two page summary
intended to provide the Evaluation Committee with an overview of the significant
business features of the proposal.
2. PROPOSER EXPERIENCE/INFORMATION
The Proposer shall include in their proposal a statement of relevant experience.
The Proposer should thoroughly describe, in the form of a narrative, its
experience and success as well as the experience and success of
subcontractors, if applicable in providing and/or supporting the proposed system.
In addition, Proposers are required to provide the following information:
a. Vendor Primary Contact:
1) Name:
2) Title:
3) Office/Location Address:
4) Phone Number:
5) Fax Number:
6) Email Address:
7) Organization’s Internet Home Page:
b. Please list names, title, background and tenure of the executive
leadership of your organization and/or of your Healthcare Information
System division if part of a larger/broader organization.
c. Identify the locations (city, state) of the following:
1) Corporate Headquarters:
2) Programming/Technical Support Personnel:
3) Field Engineering:
4) Client Education Personnel:
5) Consulting Services Personnel:
d. Under the laws of which state the vendor is incorporated:
e. What is the number of employees in your organization, categorized by:
1) Total:
2) Management/Administration:
3) Marketing /Sales:
4) Research and Development:
5) Installation:
Page 14 of 82
6) Ongoing Application Support:
7) Customer Service/Telephone Support:
8) Other:
f. Provide input on the number and type of clinical resources you have on
staff.
g. How long has your company been in the business of Clinical Information
systems?
h. What percentage of your company business involves Clinical Information
systems?
Please provide the following financial information for each of the last three
fiscal years (specific to your software division if part of large company):
FY 2010 FY 2009 FY 2008
Annual Revenue
Net Profit
Total Assets
Total Debt
% Net Revenue spent on
Research and Development
i. Are there any established user groups associated with your organization
or proposed product? Please describe your organization’s
sponsorship of these groups and how your organization works with them:
j. Provide a complete disclosure if Proposer, its subsidiaries, parent, other
corporate affiliates, or subcontractors have defaulted in its performance
on a contract during the past five years which has led the other party to
terminate the contract. If so, identify the parties involved and the
circumstances of the default or termination.
k. A list of any lawsuits filed against the Proposer, its subsidiaries, parent,
other corporate affiliates, or subcontractors in the past five years and the
outcome of those lawsuits. Identify the parties involved and
circumstances. Also, describe any civil or criminal litigation or
investigation pending.
3. FINANCIAL STABILITY/PROPOSER FINANCIAL INFORMATION
Proposer shall submit copies of the most recent years independently audited
financial statements, as well as those for the preceding three years, if they exist.
The submission shall include the audit opinion, balance sheet, income statement,
retained earnings, cash flows, and notes to the financial statements. If
independently audited financial statements do not exist for the Proposer, the
Proposer shall state the reason and, instead, submit sufficient information such
as the latest Dun and Bradstreet report to enable the Evaluation Committee to
Page 15 of 82
determine the financial stability of the Proposer. The Proposer shall supply any
additional financial information requested by SMMC ISD in a timely manner.
4.3 References
Please provide the following information for three references. It is important that you include
references that are similar to SMMC in terms of size, clinical services, scope of applications and
technology environment. If possible, provide at least one reference site from the state of
California, preferably from the San Francisco Bay Area. SMMC will not contact any references
without your permission. Please use the format below to provide this information.
Reference #1:
a) Organization Name:
b) Organization Address:
c) Size and Type of Facility:
d) Name and Release Version of Application(s) Installed:
e) Application(s) Live-dates:
f) Nature of Relationship between Vendor and Reference Site (i.e., partner, beta site):
g) Individual with sufficient knowledge and experience to speak on the implementation
process, product functionality, vendor support, and documentation and training.
 Name:
 Title:
 Phone number:
 Contact email address:
Reference #2:
a) Organization Name:
b) Organization Address:
c) Size and Type of Facility:
d) Name and Release Version of Application(s) Installed:
e) Application(s) Live-dates:
f) Nature of Relationship between Vendor and Reference Site (i.e., partner, beta site):
g) Individual with sufficient knowledge and experience to speak on the implementation
process, product functionality, vendor support, and documentation and training.
 Name:
 Title:
 Phone number:
 Contact email address:
Reference #3:
a) Organization Name:
b) Organization Address:
c) Size and Type of Facility:
d) Name and Release Version of Application(s) Installed:
Page 16 of 82
e) Application(s) Live-dates:
f) Nature of Relationship between Vendor and Reference Site (i.e., partner, beta site):
g) Individual with sufficient knowledge and experience to speak on the implementation
process, product functionality, vendor support, and documentation and training.
 Name:
 Title:
 Phone number:
 Contact email address:
5. Service Capabilities
5.1 The proposal should define the scope of work and specific services being
offered in your proposal and should include the information listed in the sections
below:
5.1.1 TECHNICAL REQUIREMENTS
SMMC is seeking a contractor to provide a complete solution to satisfy the technical,
functionality, and integration requirements and one who is capable of providing the
stated capacity and service levels as well as the training and technical support required
to maintain the system in an operational status.
The technical requirements are to be defined referencing the technical requirements in
Appendices A1 and A2. Proposers submitting a proposal for a client server solution
must submit Appendix A1; whereas Proposers submitting a proposal for a SaaS solution
must submit Appendix A2. Proposers submitting a proposal for both types of solutions
must submit Appendix A1 and Appendix A2.
Proposers must submit a thorough narrative supported by references to the technical
documentation in response to questions asked in Appendix A1 or Appendix A2.
5.1.2 VENDOR PROPOSED PRODUCT INFORMATION
Please complete the table below regarding the proposed applications:
Applications
Developed In- Current Status # Live
Supported Application Module House, (i.e., in development, beta,
Functionality Integrated, or Clients
(Ref Section II-D)
Suite Name Name or generally available
Interfaced? w/version # )
Hospital-based Core Clinical Applications
 Provider Order
Entry/all order
services
Page 17 of 82
Applications
 Clinical Decision
Support
 Nursing and
Ancillary Clinical
Documentation
(assessment,
care plans)
 Multidisciplinary
Clinical
Documentation
including
providers
 Intensive Care
Services (ICU)
 Perioperative
Services,
including
documentation
 Infusion Center
Management
 Telemetry and
Patient Monitor
Integration
Additional Support Applications
 Enterprise
Document
Management
System (EDMS)
 Reporting Tools
Possible Future Applications
 Referral
Management
System
 Affiliated
Physician Portal
 Patient Portal
 Personal Health
Record
Page 18 of 82
5.1.3 SYSTEM SUPPORT REQUIREMENTS
Function Vendor Use Only
Yes No Comments
1) A dedicated support team is guaranteed.
2) Toll free telephone support is available 7 days a
week, 24 hours a day.
3) Web-access support is available 7 days a week, 24
hours a day.
4) Telephone support response times are guaranteed.
Specify the response time.
5) For the proposed hardware, please identify the party
responsible for support.
6) For the proposed software, please identify the party
responsible for support.
7) Is a preferred or “premier” customer support status
offered?
8) Is a warranty for the application(s) available? What is
the warranty period?
System Support - Additional Requirements
1. Where are your customer support offices located?
2. What are your standard support hours? Are they based on client local time? Do you offer
extended support hours? Is there an additional charge for this and if so, what is that
charge?
3. Define the recommended size and skill set of the IT staff to support your proposed core
clinical product(s) at an organization of SMMC’s size and complexity.
4. Assuming SMMC contracts with another party for hardware, networking, etc., how are
lines of responsibility drawn?
5. Describe the process for resolving client issues and problems:
a) Discuss issue logging and tracking.
b) Explain service request prioritization.
c) Describe escalation procedures.
d) Discuss status reporting.
e) Provide average turnaround times for problem resolutions.
f) What documentation/acknowledgement is communicated to SMMC when a
problem/issue is communicated to the vendor?
6. Describe your methodology for new version/releases of your software:
a) Development.
b) Testing.
c) Distribution.
d) Installation.
Page 19 of 82
e) Notification.
7. How often are new versions released?
8. What is the recommended / standard timeframe for taking new releases?
9. When a new version of your product is released, will you guarantee upward conversion
to the new release at no additional cost to SMMC?
10. Can new software be applied and tested in the training system before it is applied to the
production system?
11. Is the training database/environment a mirror image of the production files and the
systems test database?
12. Can the test/training environment be ‘refreshed’ or synchronized from the production
environment by SMMC independent of vendor participation? Please explain.
13. How are customizations – vendor and customer-created – accommodated in new
releases, i.e., not overwritten?
14. How many levels of software releases are supported?
15. Does the vendor organization support a remote hosted model for their software? Please
describe offering.
5.1.4 IMPLEMENTATION APPROACH
1. Please describe your typical approach to implementing the proposed core clinical
solutions at an organization of SMMC’s size and complexity.
2. Please describe a high-level recommended installation sequence and timetable for the
proposed core clinical applications with the intended goal of maximizing ARRA HITECH
incentive monies through reaching Meaningful Use in a timely manner. Please include a
description of suggested implementation phases and timing (e.g., Phase 1:
Orders/Results, Phase 2: Clinical Documentation, etc.)
3. Provide a sample implementation work plan for the proposed applications indicating the
tasks required, the relative sequence of tasks, the party responsible for each task, and
the approximate time required to complete each task.
4. Describe the anticipated vendor and SMMC personnel and/or outside resources
required/ recommended to install your proposed solutions outlined in #2 above (skill level
and numbers).
5. Discuss activities/assistance that could be provided by vendor personnel in addition to
those provided for in your work plan and implementation cost estimate and describe how
these additional services would be billed. .
6. Describe your formal procedure for system acceptance, including hardware and
software.
7. Describe your methodology for conversion of current system files, specifically:
a) Patient demographics.
b) Clinical documentation (discrete data and transcribed reports). Please provide
input on two methods for this data:
1. Converting discrete data/transcribed reports to your CIS.
2. In-loading of a subset of paper charts via your document management
solution.
8. For any identified automated conversions, who would be responsible for developing:
a) Extracts from the current system?
b) Input/edit/updates to your system?
Page 20 of 82
9. What is your recommendation for converting existing clinical data from the incumbent
Siemens Invision system -- to your proposed CIS as discrete data, to your proposed
document management solution, other? How have other clients addressed historical
clinical data conversions?
5.1.5 CLINICAL CONTENT
1. Please describe your typical approach and/or options to building the clinical content
needed for order entry/CPOE to achieve standardization and patient safety (e.g., order
sets, clinical decision support, standardized documentation, etc.).
2. Describe the types and number of order sets and alerts/reminders you provide with the
order entry module, i.e., ‘starter set’? If you provide these, please provide details.
3. Describe your system ability for dealing with standardized order sets by specific
physicians vs. diagnosis?
4. Describe in detail the clinical content that is provided with your clinical system. Provide
numbers and types of content including order sets (if not described in #2 above), clinical
rules and alerts, care plans, etc.
5. Describe how the clinical content is maintained in your application.
rd
6. Does your system support the import of 3 party clinical content? If so, please describe
the process and how is existing content impacted.
rd
7. List the 3 party vendors that you are aligned with for providing clinical content.
rd
Describe any additional costs for this 3 party software.
8. Describe how your system allows the ability to aggregate data directly from the CDR for
regulatory initiatives – e.g., THE JOINT COMMISSION core measures, CMS core
measures, IHI sepsis bundle compliance, SMMC specific databases, etc.
9. Describe your system’s ability to integrate various care protocols into general
assessment, scoring, implementation and on-going reassessment into the EMR – i.e.,
falls, pressure ulcers, groin management, restraints, rehab protocols, moderate sedation
protocols, central line placement protocols, etc.
10. Describe how the system assists with adherence to national patient safety goals from
THE JOINT COMMISSION or National Quality Forum guidelines – program screening,
implementation, compliance monitoring, etc.
a. High risk medication alerts
b. Look alike, sound alike drugs
c. Drug concentrations
d. IV Conscious sedation
e. Monitoring of hospital acquired infections
f. Patient identification
g. Clinical alarms
h. Critical values
i. Medication reconciliation
11. Describe the system’s ability to pick up symptom or pattern recognition of symptoms of
patient’s in trouble and triggers the end-user?
Page 21 of 82
5.1.6 FUNCTIONALITY AND INTEGRATION REQUIREMENTS (APPENDIX B)
Proposers must complete and submit with their proposals the functional and integration
requirements referenced in Appendix B.
5.1.7 TRAINING
Function Vendor Use Only
Yes No Comments
1) Documentation is available in hard copy.
2) Documentation is available on-line.
3) On-line documentation can be printed on demand.
4) Documentation is available on CD or DVD
5) Documentation manuals accurately reflect the most
current software release.
6) Vendor-supplied training can be conducted on-site at
SMMC.
Training - Additional requirements
a) Provide a summary description of the documentation provided with the system including:
a) System administration manuals (including use of decision and edit tables).
b) Technical documentation (including detailed HL7 interface specs and data
schema).
c) User reference manuals.
d) Training manuals.
b) Describe the training approach for user personnel. Outline training classes/sessions
offered, course content, approximate length of time for each session and approximate
ratio of hands-on practice vs. lecture.
c) Describe any computer-based instruction modules available for training during installation
and for on-going training.
d) Describe the training provided to operations and technical support personnel.
e) Describe the training for the report writer or reporting mechanism? Describe how this is
accomplished and what is the cost?
f) Describe the training available to information systems and user department core group
personnel for product orientation in advance of system file, table, profile and parameter
building.
g) Describe any ongoing training available to customers included in the
maintenance/support arrangement at no additional cost (not including out-of-pocket
expenses).
h) Discuss options available for training new personnel after initial implementation.
Provide a listing of all standard reports that are provided by the system (for each module) and a
sampling of each with your response.
Page 22 of 82
Additional Note:
The implementation, project management, training, and ongoing support requirements
are to be defined referencing the requirements in Appendices C1 and C2. Proposers
submitting a proposal for a client server solution must submit Appendix C1; whereas
Proposers submitting a proposal for a SaaS solution must submit Appendix C2.
Proposers submitting a proposal for both types of solutions must submit Appendix C1
and Appendix C2.
Proposers must submit a thorough narrative supported by references to the
implementation, project management, training, and ongoing support in response to
questions asked in Appendix C1 and/or Appendix C2.
5.1.8 STRATEGIC DIRECTION
This section gathers information related to the strategic direction of the vendor and defines the
contractual requirements of SMMC. Please answer each question completely, concisely, and
accurately.
1. Strategic Requirements
a) Has your company acquired or merged with any other organizations in the past three
years? If so, please describe.
b) Are you a subsidiary of or under the control of any other corporation, individual, or other
entity? If yes, please provide entity name.
c) Describe your corporate vision for how information technology will support the healthcare
environment of the future (i.e., over the complete continuum of care).
d) Describe how workflow tools are integrated into your products and how they can be
customized by the client.
e) Identify your product’s strengths and its areas for improvement.
f) What are your plans to address these improvement opportunities?
g) Describe your organization’s vision for providing web-based applications, technologies,
or value-added services.
h) Describe how your system supports the development of evidence based care and
promotes and tracks quality outcomes.
i) How does your system support the building of an infrastructure to support improvement
in core measures and other quality indicators, such at THE JOINT COMMISSION
Patient Safety goals and IHI quality indicators?
j) What reporting capabilities are available with your system for reporting core measure
performance?
k) Can the proposed solution support all relevant California state regulatory requirements?
l) Describe any work you are doing with designing or developing systems to assist
healthcare organizations meet Leap Frog standards.
m) Describe the work you’ve completed or will complete to ensure that your applications will
support clients with the expanded HIPAA requirements stemming from the ARRA
HITECH Act (security and privacy focused).
n) Please provide examples of operational efficiencies and process integration benefits
achieved by clients through the use of your system (attach materials, as needed).
o) Discuss your efforts to provide interfacing to ‘smart’ IV pumps and please specify those
manufacturers that you have interfaced with to date.
Page 23 of 82
p) Describe how your system has incorporated the use of bar-coding, RFID and proximity
technology into the care delivery process. Do you partner with other vendors to support
these features and/or is software internal to your product. Please provide detail
information on this focus area.
q) Describe how your system can support a community-wide HIE (health information
exchange) initiative to consolidated patient clinical information across disparate entities,
i.e., RHIO (regional health information organization) and/or CMPI (community master
patient index).
r) Please describe how your system handles bed management. Is this function part of your
CIS or you’re his? Assuming it is part of your CIS and assuming that SMMC will remain
on their Invision system for Registration/ADT, how will that affect the bed management
processes within your CIS?
rd
s) What constraints do you see with the integration of a 3 party laboratory system (Novius
LIS)?
t) SMMC plans to keep their incumbent EDIS (Pulsecheck) in place initially. What data
points would you recommend for integration between your CIS and SMMC’s Pulsecheck
ED System to ensure a comprehensive clinical record for patients that span the
ED/Inpatient continuum? Have you integrated with Pulsecheck? Have you integrated
with other ED systems? What challenges have you encountered?
u) Please outline how your proposed solution supports the ARRA HITECH Meaningful Use
requirements. Include a table of the required Meaningful Use functionality (by year) and
how your proposed solution meets these requirements currently or planned. Include
both core and menu set items in this description.
5.1.9 Contractual Information
Indicate, in the following table, your agreement to the contractual requirements identified.
Some requirements identified below relate to language included in the County’s standard
contract template, a copy of which is attached to this RFP. If you cannot agree to a
requirement, explicitly state such in your response and provide alternative contract language
for consideration.
Requirement Vendor Response
Yes No Comments
a) Should SMMC contract with your organization, there
are no pending litigation activities involving your
organization that could have an impact on SMMC.
b) Your organization will contract guaranteed prices for
software systems that are currently under
development and not yet installed.
c) Your organization will contract for “not to exceed”
installation fees.
d) Your organization will stipulate that the contract will be
entered into under, and governed by, the laws of
California. (See Section 15 of the County’s standard
agreement.)
e) Your organization will stipulate that any dispute
arising under the contract will be venued in the
County of San Mateo or the United States District
Court for the Northern District of California. (See
Section 15 of the County’s standard agreement.)
Page 24 of 82
Requirement Vendor Response
Yes No Comments
f) Your organization will agree to unconditionally
guarantee all items against defects in materials,
workmanship, and performance for one year from
date of installation by SMMC unless otherwise
specified.
g) Proposed acquisition and ongoing maintenance or
support costs include any future enhancements or
upgrades to the application modules. If not, indicate
additional costs in the cost quotation.
h) Your organization can and will comply with the
County’s non-discrimination policy. (See Section 11
of the County’s standard agreement.)
i) Your organization can and will comply with the
County’s equal employment opportunity policy. (See
Section 11 of the County’s standard agreement.)
j) Your organization can and will comply with the
County’s policy regarding employee benefits. (See
Section 11 of the County’s standard agreement.)
k) Your organization can and will comply with the
County’s jury duty policy. (See Section 17 of the
County’s standard agreement.)
l) Your organization can and will comply with the
County’s hold harmless language. (See Section 7 of
the County’s standard agreement.)
m) Your organization can and will comply with the
County’s insurance requirements. (See Section 8 of
the County’s standard agreement.)
n) Your organization is able and commits to comply with
all other terms of the County’s standard contract. (If
not, provide an explanation for the inability to comply
with the required term(s). If no objections are stated,
County will assume the proposer is prepared to sign
the County contract as-is.)
Contractual Information - Additional Requirements
i. How many contracts for proposed systems have you signed in the last three years?
Please specify for each component.
ii. How many of those clients have completed implementation of your system? (List the
applications installed for each client.)
iii. Have any of your customers cancelled a contract in the last two years before, during, or
after an installation? If yes, why? (Specify organization and location.)
iv. Describe how you will commit to providing changes mandated by Federal (e.g., HIPAA,
FDA), State, Accrediting (e.g., THE JOINT COMMISSION), and standards (e.g., HL7)
organizations. Are there any additional costs for these updates?
v. Describe your approach and timing to accommodate the mandated change to HIPAA
v5010 format and ICD-10 diagnosis code set.
vi. Have you obtained ONC certification in support of ARRA HITECH requirements
(available beginning October 2009)?
vii. Please list the clients that have purchased your CORE HIS within the last two years.
Page 25 of 82
5.1.10 Application Design
Function Vendor Response
Yes No Comments
a) If the application is Windows-based, can your system
run under VMWare Workstation (virtualized
environment)?
b) Is the application object oriented design with flexibility
to add custom fields and modification easily? Explain.
c) Does the application provide a tool to migrate
customization to new software releases? If so,
describe.
d) Does the application have web access capability for
view-only?
e) Does the application have web access capability for
ordering, results processing, and clinician charting?
f) Is the e-mail interface capable of notification and
routing of reports?
g) Can the systems support the use of email distribution
lists?
h) Is the e-mail interface part of a secure messaging
system?
i) How is PHI encoded in email?
Application Design- Additional Requirements
i) What language is the application written in?
ii) Describe the processing model used in the application, such as 2, 3, or multi-tier.
iii) Describe the distribution and centralization capabilities for data, application, and interface
processing across physical platforms.
iv) Describe how capacity planning is accomplished. Include any calculations and
documents in your response.
v) Provide a schematic showing the logical design of the proposed applications that
identifies all databases and files and indicates the direction of data flow.
vi) How are databases mirrored for failure tolerance?
vii) Does the system support voice recognition as an input mechanism? If so, please
explain how and if there are any third party products or components required.
viii) Please provide a list of all reports, including security reports, and report libraries
that come standard with the system.
5.1.11 Security
Page 26 of 82
Function Vendor Response
Yes No Comments
a) Does the application security utilize RDBMS security
roles?
b) Can the application security utilize enterprise directory
services for user authentication?
c) Can SMMC enforce password standards, such as
length, expiration, and character sets in your
application?
d) For your application, is the authentication process
encrypted?
e) Are users able to change passwords through the
application at their own discretion?
f) Does your product provide security controls to restrict
access by:
i Application module
ii On-line function
iii Screen within function
iv Data element/section of chart
v User ID
g) Can groups of user security be changed at one time?
h) Can security be copied from one user or group to
another then modified?
i) Can user-defined security criteria be set?
j) Is there an audit trail for security changes?
k) Is one sign-on process sufficient to control access to
all authorized functions/modules?
l) Are separate passwords required for specific screens
or modules?
m) Can one user be signed on to multiple devices
simultaneously (i.e., using the same password)?
n) Does the system provide use statistics by user ID?
o) Does the system provide an audit trail that can be
used to identify transactions or data accesses that
have been performed by:
i Input Device
ii Function
iii Patient/Record
iv User Role
v User Identity
p) Are all transactions identified with a user ID?
q) Does the system provide additional security for Web
access (if available)?
r) Does the system include options for:
i Failed access attempts to be tracked and
reported?
ii Specifying the number of failed attempts allowed?
iii Action upon maximum failed attempts?
s) Can audit logs be archived and recalled as needed?
Page 27 of 82
Function Vendor Response
Yes No Comments
t) Does the system have a “time out” feature that
automatically signs off a user if a workstation has
been left unattended for a SMMC-defined time
period?
u) Can system “time out” parameters be modified by
SMMC without vendor assistance?
v) Does the system allow for controlling/removing
access for users no longer needing access?
w) Can SMMC define a period after which an unused
sign-on is deactivated/disabled from the system?
x) Can vendor support personnel access the system
without SMMC knowledge?
y) Does the system have a function that will
automatically “log off” ALL users?
z) Does the system support electronic signature?
Security - Additional Requirements
i) Describe how the system provides for the capability to restrict access to particular records
within the system, based on user ID or specified fields (i.e., discharged facility).
ii) How is single sign-on to all applications implemented?
iii) Describe your approach to utilizing biometric and/or proximity/RFPD device solutions for
user authentication. Do you have any of these solutions in production? If
so, describe the environment and benefits delivered.
iv) Please describe the ability of software to conform to SSL and describe any other
encryption capabilities of the software.
5.1.12 Database
Function Vendor Response
Yes No Comments
a) Is the database schema documented and provided to
SMMC?
b) Does the database schema identify all databases and
files and indicate direction of data flow?
c) Is the database schema automatically updated and
re-distributed as new releases are made available?
d) Do the database schema/tables have a standards
convention?
e) Is there an entity relationship model for the
application?
Database - Additional Requirements
i) Is the DBMS used standard or proprietary? If proprietary, describe the structure
and any required support procedures.
ii) How many database servers and mirrors are recommended? Is there a
production, test/training and development environment as delivered, etc.?
Page 28 of 82
iii) Describe a plan and tools used to inspect, report on, and repair the database(s).
iv) Describe your database mirroring. How is the “correct” copy known?
v) Describe database backup plans.
vi) What different levels of database support does your company provide?
vii) How do you package your database installs and upgrades for your application? Is
the upgrade/install configurable to different database environments (i.e., schema name,
database names, table space names…)?
5.1.13 Data Dictionaries and File Design
a) Does your system have "master files" where universal information can be entered
once and accessed by other applications (e.g., patient demographic information)?
Does this apply to all applications proposed?
b) Are any files updated in a batch mode? If so, please indicate which files, the
frequency in which these files are updated and the length of time necessary for
batch updates to be performed. Can the online functions be active while
batch updates are done?
c) Can all data elements be viewed, printed, interfaced, updated, reported on and/or
listed as needed? Identify any that cannot.
d) Does the system allow the user to restrict printing and display of confidential data
elements if flagged in the data dictionary?
5.1.14 Data Access and Storage
a) Describe database storage model used by application, such as relational, network,
or hierarchical. How will this affect the report writing capabilities of the
system?
b) Describe the use of SAN (Block Level) and/or NAS (File Level) protocols associated
with the proposed solution. What SAN/NAS storage vendors and products
are certified to work with your system?
c) Describe the recommended storage solution, hierarchy, sizing/capacity, speed, etc.
d) Does the proposed system include:
i) User-defined menus
ii) User-defined screens/start-pages
iii) User-defined fields
iv) User-defined function keys
v) User-customizable patient summary screens (data from demographics, allergies,
documentation, orders, flowsheets, results, etc.)
e) Are required fields SMMC-definable?
f) How is data integrity maintained? What tools are used?
5.1.15 Interfaces
Function Vendor Response
Yes No Comments
a) Do you support the use of interface engines? If yes,
comment on which engine(s) are supported.
Page 29 of 82
Function Vendor Response
Yes No Comments
b) Are all system interfaces HL7 compliant?
c) Do you provide detailed interface specifications?
d) Do you make technical staff available to answer
questions and assist in data mapping with other
vendors?
e) Does the vendor support controlled user access to
monitor the interfaces and to stop/start the
interfaces?
f) Is there an interface error log on the system and can
client personnel access it?
g) Does the system attempt to re-send transactions in
the event of a failure?
Interface - Additional Requirements
1. Describe your overall design approach to developing, testing, implementing and
upgrading system interfaces to third party systems.
2. Provide a list of the interfaces that have been developed/implemented for your CIS.
Include type of interface and vendor/system interfaced to/from.
3. Provide a list of the medical device (telemetry monitors, EKGs, ventilators, etc.) interfaces
that you have developed/implemented for your CIS.
4. Please discuss how you have taken steps towards interoperability in support of the
Continuity of Care Document (CCD) and Continuity or Care Record (CCR) core data sets.
Please indicate if you have implemented the CCD or CCR XML schema with any clients
and if so, to what other clinical software systems.
5. SMMC’s specific interface requirements include the following, please describe your ability
to interface to each and include pricing in the Systems Costs section (Section 8.0). We
have listed the minimum various types of transactions and systems involved below.
a. ADT (bi-directional)
i. Inbound to CIS and Document Management from Invision
ii. Outbound from CIS and Document Mgmt to Invision (to avoid data
discrepancies; may not be required if patient demographic data cannot be
edited in the CIS and Document Mgmt system)
b. Orders/Results (bi-directional including order status/results and inquiry) If
proposing these systems
i. Orders Outbound from CIS to Novius Lab and Siemens RIS
ii. Orders & Order Status/Results Inbound to CIS from Novius Lab, Siemens
RIS
c. Charges (uni-directional)
i. Hospital-based Charges Outbound from CIS to Invision
ii. Professional Charges Outbound from CIS to Invision
d. Transcription (uni-directional)
i. Transcription Inbound to CIS and/or EDMS from Webmedx
e. Pulsecheck EDIS Integration Requirements
i. Medication Orders Inbound to CIS Pharmacy module from Pulsecheck
Page 30 of 82
ii. Comprehensive clinical data from Pulsecheck EDIS to CIS (supporting CCD
standards):
a. Height/weight, allergies/reactions, advanced directive, clinical
history, reason for visit, problem list, ED documentation, medications
(home and administered while in ED) and time of meds
administration in the ED to the CIS eMAR.
iii. Order processing for ED orders. Currently done from Pulsecheck to Invision
and then to Lab and Rad. If proposal includes a different solution, please
outline it here.
f. eClinicalWorks (eCW) Ambulatory EMR Integration Requirements
i. Bi-directional between CIS and eCW AEMR to support patient continuum
a. User defined / CCD elements and/or documents to support continuity
of care, e.g., Height/weight, allergies/reactions, advanced directive,
clinical history, problem list, ‘home’ medications, lab values, etc.
b. Potential orders to ancillaries; current process as defined above for
Pulsecheck.
c. Messaging to support notification of PCP of hospital admission and
outbound discharge summaries.
g. Additional Interfaces
i. Based on information provided, outline any other interfaces to be proposed
with explanation of purpose and systems affected. Examples could include
medication interfaces with Pyxis, Pharmacy, etc or others.
5.1.16 Hardware and Operating System
Function Vendor Response
Yes No Comments
a) Does the system require nightly procedures/daily
processing? If so, describe. Will the system remain in
production?
b) Without replacing the proposed CPU, can the capacity of
each of the following be increased by 100% (doubled):
i) Memory
ii) Disk Storage – platform specific or SAN
c) Does the system support the use of wireless notebook
computers/tablet PCs for entry of patient information?
d) Does the system support the use of handheld devices
for entry of patient information? Describe.
e) Does the system support the following data input modes:
i) Light pen
ii) Bar code reader
iii) Touch screen
Hardware and Operating System - Additional Requirements
i) What is the latest generation technology platform(s) that the system is offered on?
Please provide an approximate breakdown of how many clients are running on this and
the previous still-supported platform options.
ii) What operating systems are supported? Approximately how many clients run on
each operating system? What operating system is the application developed in?
Page 31 of 82
What operating system(s) was, or is, the application ported to and in what order?
iii) Describe the approach used in determining an appropriate hardware sizing and
configuration for SMMC. Identify data, assumptions and calculations used.
iv) For each of the following, identify 1) Vendor-certified solutions (or standard minimum)
and recommended configuration requirements, 2) Data connectivity/integration approach
between device and the system, and 3) system-specific software required to be installed
in the device.
a) End user systems, including but not limited to: O/S, CPU, disk drive capacity,
system memory, and monitor size:
1) Local desktop workstation
2) Handheld tablet workstation
3) Handheld device
4) Remote/Off Site Workstation
b) Data input systems:
1) Bar code solution
2) Scanners (specify for both single and large scale scanning stations)
3) Voice capture
4) External images – ex., .jpeg from digital camera
5) Electronic signature capture
c) Output systems:
1) Laser printer
2) Impact printer
3) Label printer
4) Bar code printer
v) What Web browser and version is recommended? What Web browsers are
supported? Are systems specific add-in components required?
vi) Describe environment and space requirements for proposed hardware. Include a
description of the requirements for space, heating, location, flooring, ventilation, air
conditioning, and fire protection.
5.1.17 Network
a) For each transaction (per application) provide bandwidth and response times
required.
b) How much traffic will be generated per transaction?
c) What is the expected number of transactions per day for SMMC?
d) What type of network architecture is supported?
e) What type of integration into Active Directory or LDAP does the application support?
f) On the wide area network what is the minimum response time required?
g) How does the application respond across a T1 or DSL Connection? Is the use of
Citrix or Terminal Services required to ensure efficient response time?
Page 32 of 82
h) Can end users desktop support DHCP? If no, explain.
i) Describe technical design of Web access capability (if any).
j) Does vendor require access to application servers? How is security handled?
5.1. 18 Remote Access
a) Describe in detail the remote access methods you currently support for your
application.
b) Do you have client(s) currently connecting to your application via an Internet VPN
connection? If so, what is the minimum bandwidth required?
c) Does your product offer web-based remote access that provides full access to
application’s functionality? If so, please describe. If not, please describe limitations
to access that would result.
d) Does your solution support SSL for remote access security?
5.1.19 Operations/Disaster Recovery
a) Does your system support disk shadowing?
b) Are there any special disaster recovery considerations for your application?
c) Does SMMC have the ability to perform disk compression, initialize files, tapes,
disks, packs, etc.?
d) For your application, is downtime required for any function? If so, explain.
e) For your application, describe your backup methodology.
f) How are back-up configuration files handled?
g) Define your uptime performance warranty.
5.1.20 Functional Requirements (Excel insert – APPENDIX F)
This section gathers information related to the functional requirements of SMMC and how well
your proposed product(s) meets these requirements.
SMMC is requesting information on all of the functionality outlined in Section 4.1 Project
Application Scope and Description.
Please use the enclosed Excel workbook “SMMC Appendix F Func Reqs” to document your
responses to the functional requirements.
The seven tabs (highlighted in yellow) comprise the primary ‘core’ modules that SMMC will be
focused on in “Phase 1” of their deployment. The two tabs highlighted in blue comprises
additional functionality that SMMC would like detail responses on for their consideration.
1. Vendor Instructions
2. Hospital-based Core Clinicals
3. Critical Care
4. Enterprise Document Management System (EDMS)
5. Portals
6. Global Functions
7. HIM
8. Reporting Tools
Page 33 of 82
9. Pharmacy
In addition to specific requirements outlined in the detailed Excel worksheets please provide
information (and pricing) on software that you offer to support the following areas:
 Referral Management System  Cardio Vascular Information System (CVIS)
 Case Management System  Personal Health Record
 Perioperative Services  Long Term Care—functionality and record
integration
5.1.21 Cost Proposal – Clearly define and itemize all costs associated with the
services defined in your proposal, to include travel if required. Please use the
Cost Proposal form (Excel Spreadsheet)—Appendix D.
The pricing must clearly define all costs expected to be incurred by SMMC during
implementation and throughout the term of the contract. They must clearly separate one-
time costs, implementation/installation costs, and recurring costs over a five-year period.
If the software is compatible with multiple hardware platforms, please propose a
recommended platform for the SMMC environment and infrastructure standards as noted
in Section 2.0.
The proposed configuration should reflect a high-availability/redundant model and also
include disaster recovery recommendations.
5.1.22 Describe start-up requirements and the lead-time necessary to begin
providing services.
5.1.23 Describe your invoicing, remittance, and reconciliation process. Note the
County invoicing requirements as specified in Exhibit B of the standard County
Agreement (attached).
5.2 Proposal Format and Submission
All proposals should be typewritten; have consecutively numbered pages, including any
exhibits, charts, or other attachments; and be securely bound.
Proposals shall be organized into the following major sections:
Title Page
Letter of Transmittal
Table of Contents
Executive Summary
Scope of Services
Company Background
Client References
Page 34 of 82
Cost Proposal
Exceptions to the RFP
Required Attachments (including the Contractor’s Declaration From)
Statement of Compliance with County conditions
The proposer must sign proposals. An unsigned proposal may be rejected.
All proposals must remain valid for a period of not less than 180 days from the
submission. This includes pricing as well as nominated engagement staff.
All proposals can be amended or withdrawn before the deadline has been reached.
Submit one (1) original and seven (7) double-sided copies. Also on one (1) CD-ROM
submit an electronic copy of the proposal.
Submit proposal and include the name and address of the proposer on the outside of
the package and in a cover letter. Address or deliver proposals before the deadline to:
San Mateo County
RFP # ISD 1805
Cyndy Chin, Administrative Assistant
222W. 39th Avenue
San Mateo, California 94403
6. Final Filing Date
Proposals must be received by the County by 2PM PST on Feb 4, 2011.
Page 35 of 82
6.1 Additional Information
If the County determines, at its sole discretion, that additional information is required or
desirable beyond that provided in the proposal(s) of any of the proposer(s), County shall
invite the proposer(s) to make oral and/or written presentations to the Evaluation
Committee.
7. Evaluation of Proposals
An Evaluation Committee will be composed of at least one representative from each of
the following departments: Nursing, Ancillary services, Providers, Revenue Cycle and
HIM. In addition, the committee will also include the Chief Medical Information Officer,
the Chief Medical Officer, the Health System IT Deputy Director and an ISD
Relationship Manager. The Evaluation Committee will evaluate proposals and the
qualifications of proposers submitting proposals. The evaluation criteria include, but are
not limited to, those listed below in paragraph 7.1, “Evaluation Criteria”. The Evaluation
Committee will submit to the Director of Information Services the recommendation of the
Committee’s evaluation. The Director can accept or reject any recommendation.
7.1 Evaluation Criteria
Each proposal will be assessed by the Evaluation Committee based upon the
evaluation criteria that will include the following:
(Not listed in order of importance)
Proposer’s experience;
Capability and experience of key personnel;
Quality of references;
Clarity of understanding of the scope of services to be provided;
Experience with other public or private agencies to provide case study numbers;
History of successfully providing similar services;
History of successfully managing other contracts with public or private agencies;
Ability to satisfy SMMC’s functional requirements;
Ability to meet required timeline;
Proposal cost and;
Ability to comply with the County’s contract requirements.
The County may consider any other criteria it deems relevant, and the Evaluation
Committee is free to make any recommendations it deems to be in the best interest of
the County.
7.2 Notification
Notification of the Information Services Director’s recommendation will be done by fax
transmission and/or by e-mail when the selection process is completed. Please be sure
to include all requested contact information.
8. Protest Process
If a proposer desires to protest the selection decision, the proposer must submit a
Page 36 of 82
written protest within five (5) business days after the delivery of the notice letter about
the decision. The written protest should be submitted to the Director of Information
Services as outlined below. Protests received after the deadline will not be accepted.
Protests must be in writing, must include the name and address of the Proposer and the
Request for Proposals numbers, and must state the specific ground(s) for the protest. A
protest that merely addresses a single aspect of the selected proposal, e.g., comparing
the cost of the selected proposal in relation to the non-selected proposal, is not
sufficient to support a protest. A successful protest will include sufficient evidence and
analysis to support a conclusion that the selected proposal, taken as a whole, is an
inferior proposal.
The Director of Information Services will respond to a protest in writing, and the County
may, at its election, set up a meeting with the proposer to discuss the concerns raised
by the protest. The decision of the Director of Information Services will be final.
The protest must reference this RFP by number, be in writing, include contact
information for the protesting party, and be faxed or emailed to:
Kathleen Boutte Foster, Deputy Director Information Management Services-
Health, ISD
and Cyndy Chin, Administrative Assistant,
ISD Email: kbfoster@co.sanmateo.ca.us and cchin@co.sanmateo.ca.us
FAX: (650) 627-9160
9. Contract Negotiation and Inability to Negotiate a Contract
After a proposer has been selected by the Director of Information Services, the County
and such proposer will negotiate a contract for submission to the County’s Board of
Supervisors for consideration and possible approval. Sole authority for acceptance of
any such agreement lies with the County’s Board of Supervisors, and submission of an
agreement to the Board of Supervisors is not a guarantee that it will be executed. If a
satisfactory contract cannot be negotiated, the County may, in its sole discretion,
negotiate with another vendor.
Page 37 of 82
County Contract Template & Contractor Declaration Form
AGREEMENT BETWEEN THE COUNTY OF SAN MATEO AND
[Contractor name]
THIS AGREEMENT, entered into this _____ day of _______________ , 20_____, by
and between the COUNTY OF SAN MATEO, hereinafter called "County," and
[Contractor name here], hereinafter called "Contractor";
W I T N E S S E T H:
WHEREAS, pursuant to Government Code, Section 31000, County may contract with independent
contractors for the furnishing of such services to or for County or any Department thereof;
WHEREAS, it is necessary and desirable that Contractor be retained for the purpose of [Enter
information here].
NOW, THEREFORE, IT IS HEREBY AGREED BY THE PARTIES HERETO AS FOLLOWS:
1. Exhibits and Attachments
The following exhibits and attachments are included hereto and incorporated by reference herein:
Exhibit A—Services
Exhibit B—Payments and rates
Attachment H—HIPAA Business Associate requirements
Attachment I—§ 504 Compliance
Attachment IP – Intellectual Property (**if the IP Attachment does not apply to this contract then delete this line**)
2. Services to be performed by Contractor
In consideration of the payments set forth herein and in Exhibit “B,” Contractor shall perform services for County
in accordance with the terms, conditions and specifications set forth herein and in Exhibit “A.”
3. Payments
In consideration of the services provided by Contractor in accordance with all terms, conditions and specifications
set forth herein and in Exhibit "A," County shall make payment to Contractor based on the rates and in the
manner specified in Exhibit "B." The County reserves the right to withhold payment if the County determines that
the quantity or quality of the work performed is unacceptable. In no event shall the County’s total fiscal obligation
under this Agreement exceed [Write out amount], [$Amount].
4. Term and Termination
Subject to compliance with all terms and conditions, the term of this Agreement shall be from [Month and day],
20[Last 2 digits of year] through [Month and day], 20[Last 2 digits of year].
This Agreement may be terminated by Contractor, the [Name of County Department Head] or his/her designee at
any time without a requirement of good cause upon thirty (30) days’ written notice to the other party.
In the event of termination, all finished or unfinished documents, data, studies, maps, photographs, reports, and
materials (hereafter referred to as materials) prepared by Contractor under this Agreement shall become the
property of the County and shall be promptly delivered to the County. Upon termination, the Contractor may
make and retain a copy of such materials. Subject to availability of funding, Contractor shall be entitled to receive
payment for work/services provided prior to termination of the Agreement. Such payment shall be that portion of
the full payment which is determined by comparing the work/services completed to the work/services required by
the Agreement.
38
5. Availability of Funds
The County may terminate this Agreement or a portion of the services referenced in the Attachments and Exhibits
based upon unavailability of Federal, State, or County funds, by providing written notice to Contractor as soon as
is reasonably possible after the County learns of said unavailability of outside funding.
6. Relationship of Parties
Contractor agrees and understands that the work/services performed under this Agreement are performed as an
independent Contractor and not as an employee of the County and that Contractor acquires none of the rights,
privileges, powers, or advantages of County employees.
7. Hold Harmless
Contractor shall indemnify and save harmless County, its officers, agents, employees, and servants from all
claims, suits, or actions of every name, kind, and description, brought for, or on account of: (A) injuries to or
death of any person, including Contractor, or (B) damage to any property of any kind whatsoever and to
whomsoever belonging, (C) any sanctions, penalties, or claims of damages resulting from Contractor’s failure to
comply with the requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
and all Federal regulations promulgated thereunder, as amended, or (D) any other loss or cost, including but not
limited to that caused by the concurrent active or passive negligence of County, its officers, agents, employees,
or servants, resulting from the performance of any work required of Contractor or payments made pursuant to this
Agreement, provided that this shall not apply to injuries or damage for which County has been found in a court of
competent jurisdiction to be solely liable by reason of its own negligence or willful misconduct.
The duty of Contractor to indemnify and save harmless as set forth herein, shall include the duty to defend as set
forth in Section 2778 of the California Civil Code.
8. Assignability and Subcontracting
Contractor shall not assign this Agreement or any portion thereof to a third party or subcontract with a third party
to provide services required by contractor under this Agreement without the prior written consent of County. Any
such assignment or subcontract without the County’s prior written consent shall give County the right to
automatically and immediately terminate this Agreement.
9. Insurance
The Contractor shall not commence work or be required to commence work under this Agreement unless and
until all insurance required under this paragraph has been obtained and such insurance has been approved by
Risk Management, and Contractor shall use diligence to obtain such insurance and to obtain such approval. The
Contractor shall furnish the County with certificates of insurance evidencing the required coverage, and there
shall be a specific contractual liability endorsement extending the Contractor's coverage to include the contractual
liability assumed by the Contractor pursuant to this Agreement. These certificates shall specify or be endorsed to
provide that thirty (30) days' notice must be given, in writing, to the County of any pending change in the limits of
liability or of any cancellation or modification of the policy.
(1) Worker's Compensation and Employer's Liability Insurance The Contractor shall have in
effect during the entire life of this Agreement Workers' Compensation and Employer's Liability
Insurance providing full statutory coverage. In signing this Agreement, the Contractor certifies, as
required by Section 1861 of the California Labor Code, that it is aware of the provisions of
Section 3700 of the California Labor Code which requires every employer to be insured against
liability for Worker's Compensation or to undertake self-insurance in accordance with the provisions
of the Code, and will comply with such provisions before commencing the performance of the work
of this Agreement.
(2) Liability Insurance The Contractor shall take out and maintain during the life of this Agreement
such Bodily Injury Liability and Property Damage Liability Insurance as shall protect him/her while
performing work covered by this Agreement from any and all claims for damages for bodily injury,
including accidental death, as well as any and all claims for property damage which may arise from
contractors operations under this Agreement, whether such operations be by himself/herself or by
any sub-contractor or by anyone directly or indirectly employed by either of them. Such insurance
shall be combined single limit bodily injury and property damage for each occurrence and shall be
not less than the amount specified below.
39
Such insurance shall include:
(a) Comprehensive General Liability . . . . . . . . . . . . . . . . . . $1,000,000
(b) Motor Vehicle Liability Insurance . . . . . . . . . . . . . . . . . . $1,000,000
(c) Professional Liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . $1,000,000
County and its officers, agents, employees and servants shall be named as additional insured on any such
policies of insurance, which shall also contain a provision that the insurance afforded thereby to the County, its
officers, agents, employees and servants shall be primary insurance to the full limits of liability of the policy, and
that if the County or its officers and employees have other insurance against the loss covered by such a policy,
such other insurance shall be excess insurance only.
In the event of the breach of any provision of this section, or in the event any notice is received which indicates
any required insurance coverage will be diminished or canceled, the County of San Mateo at its option, may,
notwithstanding any other provision of this Agreement to the contrary, immediately declare a material breach of
this Agreement and suspend all further work pursuant to this Agreement.
10. Compliance with laws; payment of Permits/Licenses
All services to be performed by Contractor pursuant to this Agreement shall be performed in accordance with all
applicable Federal, State, County, and municipal laws, ordinances and regulations, including, but not limited to,
the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Federal Regulations
promulgated thereunder, as amended, and will comply with the Business Associate requirements set forth in
Attachment “H,” and the Americans with Disabilities Act of 1990, as amended, and Section 504 of the
Rehabilitation Act of 1973, as amended and attached hereto and incorporated by reference herein as Attachment
“I,” which prohibits discrimination on the basis of handicap in programs and activities receiving any Federal or
County financial assistance. Such services shall also be performed in accordance with all applicable ordinances
and regulations, including, but not limited to, appropriate licensure, certification regulations, provisions pertaining
to confidentiality of records, and applicable quality assurance regulations. In the event of a conflict between the
terms of this Agreement and State, Federal, County, or municipal law or regulations, the requirements of the
applicable law will take precedence over the requirements set forth in this Agreement. Further, Contractor
certifies that the Contractor and all of its subcontractors will adhere to all applicable provisions of Chapter 4.106
of the San Mateo County Ordinance Code, which regulates the use of disposable food service ware .
Contractor will timely and accurately complete, sign, and submit all necessary documentation of compliance.
11. Non-Discrimination and Other Requirements
A. Section 504 applies only to Contractors who are providing services to members of the public.
Contractor shall comply with § 504 of the Rehabilitation Act of 1973, which provides that no otherwise
qualified handicapped individual shall, solely by reason of a disability, be excluded from the
participation in, be denied the benefits of, or be subjected to discrimination in the performance of this
Agreement.
B. General non-discrimination. No person shall, on the grounds of race, color, religion, ancestry,
gender, age (over 40), national origin, medical condition (cancer), physical or mental disability, sexual
orientation, pregnancy, childbirth or related medical condition, marital status, or political affiliation be
denied any benefits or subject to discrimination under this Agreement.
C. Equal employment opportunity. Contractor shall ensure equal employment opportunity based on
objective standards of recruitment, classification, selection, promotion, compensation, performance
evaluation, and management relations for all employees under this Agreement. Contractor’s equal
employment policies shall be made available to County of San Mateo upon request.
D. Violation of Non-discrimination provisions. Violation of the non-discrimination provisions of this
Agreement shall be considered a breach of this Agreement and subject the Contractor to penalties,
to be determined by the County Manager, including but not limited to
i) termination of this Agreement;
ii) disqualification of the Contractor from bidding on or being awarded a County contract for a
period of up to 3 years;
iii) liquidated damages of $2,500 per violation;
iv) imposition of other appropriate contractual and civil remedies and sanctions, as determined
by the County Manager.
40
To effectuate the provisions of this section, the County Manager shall have the authority to examine Contractor’s
employment records with respect to compliance with this paragraph and/or to set off all or any portion of the
amount described in this paragraph against amounts due to Contractor under the Contract or any other Contract
between Contractor and County.
Contractor shall report to the County Manager the filing by any person in any court of any complaint of
discrimination or the filing by any person of any and all charges with the Equal Employment Opportunity
Commission, the Fair Employment and Housing Commission or any other entity charged with the investigation of
allegations within 30 days of such filing, provided that within such 30 days such entity has not notified Contractor
that such charges are dismissed or otherwise unfounded. Such notification shall include the name of the
complainant, a copy of such complaint, and a description of the circumstance. Contractor shall provide County
with a copy of their response to the Complaint when filed.
E. Compliance with Equal Benefits Ordinance. With respect to the provision of
employee benefits, Contractor shall comply with the County Ordinance which
prohibits contractors from discriminating in the provision of employee
benefits between an employee with a domestic partner and an employee with
a spouse.
F.. The Contractor shall comply fully with the non-discrimination requirements
required by 41 CFR 60-741.5(a), which is incorporated herein as if fully set
forth.
12. Compliance with Contractor Employee Jury Service Ordinance
Contractor shall comply with the County Ordinance with respect to provision of jury duty pay to employees and
have and adhere to a written policy that provides that its employees shall receive from the Contractor, on an
annual basis, no less than five days of regular pay for actual jury service in San Mateo County. The policy may
provide that employees deposit any fees received for such jury service with the Contractor or that the Contractor
deduct from the employees’ regular pay the fees received for jury service.
13. Retention of Records, Right to Monitor and Audit
(a) CONTRACTOR shall maintain all required records for three (3) years after the COUNTY makes final payment
and all other pending matters are closed, and shall be subject to the examination and/or audit of the County, a
Federal grantor agency, and the State of California.
(b) Reporting and Record Keeping: CONTRACTOR shall comply with all program and fiscal reporting
requirements set forth by appropriate Federal, State and local agencies, and as required by the COUNTY.
(c) CONTRACTOR agrees to provide to COUNTY, to any Federal or State department having monitoring or
review authority, to COUNTY's authorized representatives, and/or their appropriate audit agencies upon
reasonable notice, access to and the right to examine all records and documents necessary to determine
compliance with relevant Federal, State, and local statutes, rules and regulations, and this Agreement, and to
evaluate the quality, appropriateness and timeliness of services performed.
14. Merger Clause
This Agreement, including the Exhibits attached hereto and incorporated herein by reference, constitutes the sole
Agreement of the parties hereto and correctly states the rights, duties, and obligations of each party as of this
document's date. In the event that any term, condition, provision, requirement or specification set forth in this
body of the agreement conflicts with or is inconsistent with any term, condition, provision, requirement or
specification in any exhibit and/or attachment to this agreement, the provisions of this body of the agreement
shall prevail. Any prior agreement, promises, negotiations, or representations between the parties not expressly
stated in this document are not binding. All subsequent modifications shall be in writing and signed by the
parties.
15. Controlling Law and Venue
The validity of this Agreement and of its terms or provisions, as well as the rights and duties of the parties
hereunder, the interpretation, and performance of this Agreement shall be governed by the laws of the State of
California. Any dispute arising out of this Agreement shall be venued either in the San Mateo County Superior
Court or in the United States District Court for the Northern District of California.
41
16. Notices
Any notice, request, demand, or other communication required or permitted hereunder shall be
deemed to be properly given when both (1) transmitted via facsimile to the telephone number listed
below and (2) either deposited in the United State mail, postage prepaid, or when deposited for
overnight delivery with an established overnight courier that provides a tracking number showing
confirmation of receipt, for transmittal, charges prepaid, addressed to:
In the case of County, to:
In the case of Contractor, to:
In the event that the facsimile transmission is not possible, notice shall be given
both by United States mail and an overnight courier as outlined above.
IN WITNESS WHEREOF, the parties hereto, by their duly authorized representatives, have affixed their hands.
COUNTY OF SAN MATEO
By:
President, Board of Supervisors, San Mateo County
Date:
ATTEST:
By:
Clerk of Said Board
D. [Contractor Name Here]
Contractor’s Signature
Date:
Long Form Agreement/Business Associate v 8/19/08
42
Exhibit “A” – SERVICES
AGREEMENT BETWEEN COUNTY OF SAN MATEO
AND VENDOR NAME (BOLD CAPS)
In consideration of the payments set forth in Exhibit “B”, Contractor shall provide the following services:
SCOPE OF WORK
The methods and techniques used to provide services to the County are within the Contractor’s
discretion, but subject to County Information Services Department’s technology policies, guidelines, and
requirements. The amount of time, specific hours, and location of the performance of the Contractor’s
Services is also left to the Contractor’s discretion provided that Contractor coordinates with County
Departments as needed.
Exhibit “B” – PAYMENTS AND RATES
AGREEMENT BETWEEN COUNTY OF SAN MATEO
AND VENDOR NAME (BOLD CAPS)
In consideration of the services provided by Contractor in Exhibit “A”, County shall pay
Contractor based on the following fee schedule:
1. SCHEDULE OF CHARGES
Contractor will provide the County’s Information Services Department with original receipts for
all reimbursable expenses. Contractor shall be reimbursed for mileage at $0.505 per mile, and
Direct costs for lodging, meals, car rental, and airfare. Meals shall be at the County’s per diem
Rate of $45 per day.
Contractor will invoice on monthly basis. The County will submit payment within thirty (30) days
of receipt of invoice.
In no event shall the total payment for services under this Agreement exceed XXX ($). The
County will have the right to withhold payment if the County determines that the quantity or
quality of work performed is unacceptable.
Contractor agrees that the requirements of this Agreement pertaining to the protection of
Proprietary rights and confidentiality shall survive termination of this Agreement.
43
Attachment H
Health Insurance Portability and Accountability Act (HIPAA)
Business Associate Requirements
Definitions
Terms used, but not otherwise defined, in this Schedule shall have the same meaning as those
terms are defined in 45 Code of Federal Regulations section 160.103 164.304 and 164.501. (All
regulatory references in this Schedule are to Title 45 of the Code of Federal Regulations unless
otherwise specified.)
a. Designated Record Set. “Designated Record Set” shall have the same meaning as the
term “designated record set” in Section 164.501.
b. Electronic Protected Health Information. “Electronic Protected Health Information” (“EPHI”)
means individually identifiable health information that is transmitted or maintained in
electronic media, limited to the information created, received, maintained or transmitted by
Business Associate from or on behalf of Covered Entity.
c. Individual. “Individual” shall have the same meaning as the term “individual” in Section
160.103 and shall include a person who qualifies as a personal representative in
accordance with Section 164.502(g).
d. Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually
Identifiable Health Information at 45 Code of Federal Regulations Part 160 and Part 164,
Subparts A and E.
e. Protected Health Information. “Protected Health Information” shall have the same meaning
as the term “protected health information” in Section 160.103 and is limited to the
information created or received by Contractor from or on behalf of County.
f. Required By Law. “Required by law” shall have the same meaning as the term “required by
law” in Section 164.103.
g. Secretary. “Secretary” shall mean the Secretary of the United States Department of Health
and Human Services or his or her designee.
h. Security Incident. “Security Incident” shall mean the attempted or successful unauthorized
access, use, disclosure, modification, or destruction of information or interference with
systems operations in an information system, but does not include minor incidents that
occur on a daily basis, such as scans, “pings”, or unsuccessful random attempts to
penetrate computer networks or servers maintained by Business Associate
i. Security Rule. “Security Rule” shall mean the Standards for the Protection of Electronic
Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C.
Obligations and Activities of Contractor
a. Contractor agrees to not use or further disclose Protected Health Information other than as
permitted or required by the Agreement or as required by law.
b. Contractor agrees to use appropriate safeguards to prevent the use or disclosure of the
Protected Health Information other than as provided for by this Agreement.
c. Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to
Contractor of a use or disclosure of Protected Health Information by Contractor in violation
of the requirements of this Agreement.
-1-
d. Contractor agrees to report to County any use or disclosure of the Protected Health
Information not provided for by this Agreement.
e. Contractor agrees to ensure that any agent, including a subcontractor, to whom it provides
Protected Health Information received from, or created or received by Contractor on behalf
of County, agrees to the same restrictions and conditions that apply through this Agreement
to Contractor with respect to such information.
f. If Contractor has protected health information in a designated record set, Contractor agrees
to provide access, at the request of County, and in the time and manner designated by
County, to Protected Health Information in a Designated Record Set, to County or, as
directed by County, to an Individual in order to meet the requirements under Section
164.524.
g. If Contractor has protected health information in a designated record set, Contractor agrees
to make any amendment(s) to Protected Health Information in a Designated Record Set
that the County directs or agrees to make pursuant to Section 164.526 at the request of
County or an Individual, and in the time and manner designed by County.
h. Contractor agrees to make internal practices, books, and records relating to the use and
disclosure of Protected Health Information received from, or created or received by
Contractor on behalf of, County available to the County or to the Secretary, in a time and
manner designated by the County or the Secretary, for purposes of the Secretary
determining County’s compliance with the Privacy Rule.
i. Contractor agrees to document such disclosures of Protected Health Information and
information related to such disclosures as would be required for County to respond to a
request by an Individual for an accounting of disclosures of Protected Health Information in
accordance with Section 164.528.
j. Contractor agrees to provide to County or an Individual in the time and manner designated
by County, information collected in accordance with Section (i) of this Schedule, to permit
County to respond to a request by an Individual for an accounting of disclosures of
Protected Health Information in accordance with Section 164.528.
k. Contractor shall implement administrative, physical, and technical safeguards that
reasonably and appropriately protect the confidentiality, integrity, and availability of EPHI
that Contractor creates, receives, maintains, or transmits on behalf of County.
l. Contractor shall conform to generally accepted system security principles and the
requirements of the final HIPAA rule pertaining to the security of health information.
m. Contractor shall ensure that any agent to whom it provides EPHI, including a subcontractor,
agrees to implement reasonable and appropriate safeguards to protect such EPHI.
n. Contractor shall report to County any Security Incident within 5 business days of becoming
aware of such incident.
o. Contractor shall makes its policies, procedures, and documentation relating to the security
and privacy of protected health information, including EPHI, available to the Secretary of
the U.S. Department of Health and Human Services and, at County’s request, to the County
for purposes of the Secretary determining County’s compliance with the HIPAA privacy and
security regulations.
Permitted Uses and Disclosures by Contractor
Except as otherwise limited in this Schedule, Contractor may use or disclose Protected Health
Information to perform functions, activities, or services for, or on behalf of, County as specified in the
Agreement; provided that such use or disclosure would not violate the Privacy Rule if done by County.
-2-
Obligations of County
a. County shall provide Contractor with the notice of privacy practices that County produces in
accordance with Section 164.520, as well as any changes to such notice.
b. County shall provide Contractor with any changes in, or revocation of, permission by
Individual to use or disclose Protected Health Information, if such changes affect
Contractor’s permitted or required uses and disclosures.
c. County shall notify Contractor of any restriction to the use or disclosure of Protected Health
Information that County has agreed to in accordance with Section 164.522.
-3-
Permissible Requests by County
County shall not request Contractor to use or disclose Protected Health Information in any
manner that would not be permissible under the Privacy Rule if done by County, unless the Contractor
will use or disclose Protected Health Information for, and if the Agreement provides for, data
aggregation or management and administrative activities of Contractor.
Duties Upon Termination of Agreement
a. Upon termination of the Agreement, for any reason, Contractor shall return or destroy all
Protected Health Information received from County, or created or received by Contractor on
behalf of County. This provision shall apply to Protected Health Information that is in the
possession of subcontractors or agents of Contractor. Contractor shall retain no copies of
the Protected Health Information.
b. In the event that Contractor determines that returning or destroying Protected Health
Information is infeasible, Contractor shall provide to County notification of the conditions
that make return or destruction infeasible. Upon mutual agreement of the Parties that
return or destruction of Protected Health Information is infeasible, Contractor shall extend
the protections of the Agreement to such Protected Health Information and limit further uses
and disclosures of such Protected Health Information to those purposes that make the
return or destruction infeasible, for so long as Contractor maintains such Protection Health
Information.
Miscellaneous
a. Regulatory References. A reference in this Schedule to a section in the Privacy Rule
means the section as in effect or as amended, and for which compliance is required.
b. Amendment. The Parties agree to take such action as is necessary to amend this
Schedule from time to time as is necessary for County to comply with the requirements of
the Privacy Rule and the Health Insurance Portability and Accountability Act, Public Law
104-191.
c. Survival. The respective rights and obligations of Contractor under this Schedule shall
survive the termination of the Agreement.
d. Interpretation. Any ambiguity in this Schedule shall be resolved in favor of a meaning that
permits County to comply with the Privacy Rule.
e. Reservation of Right to Monitor Activities. County reserves the right to monitor the security
policies and procedures of Contractor
(rev. 8/08)
-4-
Assurance of Compliance with Section 504 of the Rehabilitation Act of 1973, as Amended
The undersigned (hereinafter called the "Contractor(s)") hereby agrees that it will comply with Section 504
of the Rehabilitation Act of 1973, as amended, all requirements imposed by the applicable DHHS
regulation, and all guidelines and interpretations issued pursuant thereto.
The Contractor(s) gives/give this assurance in consideration of for the purpose of obtaining contracts
after the date of this assurance. The Contractor(s) recognizes/recognize and agrees/agree that
contracts will be extended in reliance on the representations and agreements made in this
assurance. This assurance is binding on the Contractor(s), its successors, transferees, and
assignees, and the person or persons whose signatures appear below are authorized to sign
this assurance on behalf of the Contractor(s).
The Contractor(s): (Check a or b)
a. Employs fewer than 15 persons.
b. Employs 15 or more persons and, pursuant to section 84.7 (a)
of the regulation (45 C.F.R. 84.7 (a), has designated the following
person(s) to coordinate its efforts to comply with the
DHHS regulation.
_____________________________________________________
Name of 504 Person - Type or Print
_____________________________________________________
Name of Contractor(s) - Type or Print
_____________________________________________________
Street Address or P.O. Box
_____________________________________________________
City, State, Zip Code
I certify that the above information is complete and correct to the best of my knowledge.
_____________________________________________________
Signature
_____________________________________________________
Title of Authorized Official
_____________________________________________________
Date
*Exception: DHHS regulations state that:
"If a recipient with fewer than 15 employees finds that, after consultation with a disabled
person seeking its services, there is no method of complying with (the facility
accessibility regulations) other than making a significant alteration in its existing facilities,
the recipient may, as an alternative, refer the handicapped person to other providers of
those services that are accessible."
5
Attachment IP – Intellectual Property Rights
1. The County of San Mateo (“County”), shall and does own all titles, rights and interests in all
Work Products created by Contractor and its subcontractors (collectively “Vendors”) for the
County under this Agreement. Contractor may not sell, transfer, or permit the use of any
Work Products without the express written consent of the County.
2. “Work Products” are defined as all materials, tangible or not, created in whatever medium
pursuant to this Agreement, including without limitation publications, promotional or
educational materials, reports, manuals, specifications, drawings and sketches, computer
programs, software and databases, schematics, marks, logos, graphic designs, notes,
matters and combinations thereof, and all forms of intellectual property.
3. Contractor shall not dispute or contest, directly or indirectly, the County’s exclusive right and
title to the Work Products nor the validity of the intellectual property embodied therein.
Contractor hereby assigns, and if later required by the County, shall assign to the County all
titles, rights and interests in all Work Products. Contractor shall cooperate and cause
subcontractors to cooperate in perfecting County’s titles, rights or interests in any Work
Product, including prompt execution of documents as presented by the County.
4. To the extent any of the Work Products may be protected by U.S. Copyright laws, Parties
agree that the County commissions Vendors to create the copyrightable Work Products,
which are intended to be work-made-for-hire for the sole benefit of the County and the
copyright of which is vested in the County.
5. In the event that the title, rights, and/or interests in any Work Products are deemed not to be
“work-made-for-hire” or not owned by the County, Contractor hereby assigns and shall
require all persons performing work pursuant to this Agreement, including its subcontractors,
to assign to the County all titles, rights, interests, and/or copyrights in such Work Product.
Should such assignment and/or transfer become necessary or if at any time the County
requests cooperation of Contractor to perfect the County’s titles, rights or interests in any
Work Product, Contractor agrees to promptly execute and to obtain execution of any
documents (including assignments) required to perfect the titles, rights, and interests of the
County in the Work Products with no additional charges to the County beyond that identified
in this Agreement or subsequent change orders. The County, however, shall pay all filing
fees required for the assignment, transfer, recording, and/or application.
6. Contractor agrees that before commencement of any subcontract work it will incorporate this
Schedule I to contractually bind or otherwise oblige its subcontractors and personnel
performing work under this Agreement such that the County’s titles, rights, and interests in
Work Products are preserved and protected as intended herein.
-1-
2
Contractor’s Declaration Form
I. CONTRACTOR INFORMATION
Contractor Phone:
Name:
Contact Person: Fax:
Address:
II. EQUAL BENEFITS (check one or more boxes)
Contractors with contracts in excess of $5,000 must treat spouses and domestic partners
equally as to employee benefits.
Contractor complies with the County’s Equal Benefits Ordinance by:
offering equal benefits to employees with spouses and employees with domestic
partners. cash equivalent payment to eligible employees in lieu of equal benefits.
offering a
Contractor does not comply with the County’s Equal Benefits Ordinance.
Contractor is exempt from this requirement because:
Contractor has no employees, does not provide benefits to employees’ spouses,
or the contract is for $5,000 or less.
Contractor is a party to a collective bargaining agreement that began on
(date) and expires on (date), and intends to offer equal benefits when said
agreement expires.
III. NON-DISCRIMINATION (check appropriate box)
Finding(s) of discrimination have been issued against Contractor within the past year
by the Equal Employment Opportunity Commission, Fair Employment and Housing
Commission, or other investigative entity. Please see attached sheet of paper
explaining the outcome(s) or remedy for the discrimination.
No finding of discrimination has been issued in the past year against the Contractor by
the Equal Employment Opportunity Commission, Fair Employment and Housing
Commission, or any other entity.
IV. EMPLOYEE JURY SERVICE (check one or more boxes)
Contractors with original or amended contracts in excess of $100,000 must have and adhere to
a written policy that provides its employees living in San Mateo County up to five days regular
pay for actual jury service in the County.
Contractor complies with the County’s Employee Jury Service Ordinance.
Contractor does not comply with the County’s Employee Jury Service Ordinance.
Contractor is exempt from this requirement because:
the contract is for $100,000 or less.
Contractor is a party to a collective bargaining agreement that began on
(date) and expires on (date), and intends to comply when the collective
bargaining agreement expires.
I declare under penalty of perjury under the laws of the State of California that the foregoing is true and correct, and
that I am authorized to bind this entity contractually.
3
________________________________________ ______________________________________
Signature Name
________________________________________ ______________________________________
Date Title
Request for Proposal: Enterprise Clinical Information System Nov. 2010 4
APPENDIX A1
TECHNICAL REQUIREMENTS RESPONSE FORM
FOR A CLIENT SERVER SOLUTION
If proposing a client server solution, please complete and submit Appendix A1 with your proposal.
A. TECHNICAL REQUIREMENTS
1. Description of System
a. Provide a description of the proposed product, database, software and services, including
how the proposed system will meet or exceed the requirements stated in the entire RFP.
Include sufficient technical information about the application, operating environment and
performance data to enable the County to determine whether or not the proposed system
meets the technical environment prerequisites.
b. Identify/list all software required for the solution that is not supplied directly by the
Proposer (any/all third party software).
c. Provide an overview and/or benchmarks relating to the system’s ability to process
information in real time. Include the number of concurrent users as well as named users
the proposed system will accommodate and state the maximum number of recommended
users.
d. Identify any requirement to purchase interfaces from other vendors to work with the
proposed solution.
e. Define the scalability of the proposed system.
i. Can the system be purchased in modules and expanded?
ii. How scalable is the proposed software regarding the number of users?
iii. Does the system scale in parallel, i.e. can additional application servers be
configured in a load-balanced cluster?
iv. Can the database, application and data analysis components be configured to
reside on separate independent servers, so that one impacted subsystem does
not affect the overall solution?
f. Identify how many users are can access the proposed system. (Concurrent users).
g. Identify if the proposed software is COM (Component Object Model) compliant.
h. Identify if the proposed software is ODBC, OLE-DB or OLAP compliant. Identify any
drivers provided.
i. Describe licenses required for the software (concurrent / per seat and the number
associated).
j. Describe how the system protects database records while it is being accessed by one
user, so that multiple users will not attempt to change the record at the same time.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 5
k. Identify if the solution’s database is ACID (Atomicity, Consistency, Isolation and Durability)
compliant, and how it provides transaction rollback capability in the event of a failed
transaction.
l. Define the requirements for a test system. Include all related components (hardware,
software, etc.) Include test system costs.
m. Describe the maximum number of database records that can be stored.
n. Define which third party reporting tools the system is compatible with the proposed
system.
o. Describe the ability to test interfaces to the HIS system.
p. Provide the data dictionary and schema with the system.
q. Describe the minimum monitor and screen resolution limit.
r. Describe the process for change management or customer notification.
s. Describe the current version number and release date, including how often target dates
are met.
t. Provide continuous application and system support 24 hours a day, 365 days per year.
u. Provide the company escalation and response plan, and describe how issues are triaged
and escalated.
v. Provide the average response time of the proposed system, including the average
page/screen flip time.
w. Describe the level of customization available without a programmer or vendor support.
x. Provide the location of the closest service representative.
y. Define the system uptime. Include planned downtime windows.
2. Equipment and Software
a. Provide detailed server hardware specifications, including but not limited to:
i. operating system,
ii. processors type and speed,
iii. redundancy
iv. system configuration
v. hard drive size
b. Include a list of all hardware and software components SMMC must purchase.
c. Describe the proposed system architecture.
d. Describe the proposed systems transaction processing capabilities.
e. Describe how the client software components are able to coexist with other software and
applications on end-user workstations.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 6
f. Describe the reporting software compatible with the proposed system. (Crystal Reports,
Excel, Access, etc.)
g. Describe hardware support and escalation process.
h. Describe any maintenance and support the client is expected to do.
3. Backup/Recovery
a. Describe the backup capabilities for the proposed system.
b. Describe the process for automatic reprogramming and/or recovery after a failure due to
hardware, software or absence of power.
c. Describe the capabilities for periodically exporting data stored in the database, and if it
can be exported to MS Excel, MS Access or other software.
4. Network/Hardware
a. Proposer must meet the SMMC ISD technical requirements listed in section B 4,
“Technical Environment.”
b. Provide a system/network design diagram, which provides a visual summary of the
system’s servers, network and ancillary components and their relationships.
c. Describe any proprietary equipment utilized.
d. Describe any special networking requirements, i.e. dedicated/segregated network
segments, VLANs, etc.
e. Describe the response time expected with the proposed system.
5. Data Management
a. Describe the data management approach.
b. Explain if the data is stored in separate databases.
c. Provide a copy of the Service Level Agreement.
d. Explain how the information can be retrieved from the archive. Explain how the data is
stored within the database, including if it can be stored in a separate database.
6. Storage
a. Explain how data is archived (e.g., on demand, automatically, via optical disk, etc.)
b. Describe how the system will store the data on non-proprietary media and in an industry-
standard format. Proposer should also specify the type of media used for long-term
storage and the format in which it is stored.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 7
c. Describe the archival scheme for the system, including the recommended length of time
data is retained on the production system and the availability of data for reporting after
archiving.
d. Describe the maximum size of the database and the largest currently operating production
and archive directories.
e. Describe the long-term storage options available for the system.
f. Describe how the system will print information on demand. Proposer must specify any
special hardware or required printers necessary for printing.
g. Explain how long Batches remain in the system.
7. Integration
a. Describe if the system supports a web-based front end or if a client install is required.
b. Define the system’s capability to support multiple browser types (i.e. Internet Explorer,
Mozilla Firefox, and Opera) on different platforms, and the minimum version of each
browser supported if the system supports web-based access.
c. Specify all browser plug-ins necessary to utilize web-based features.
d. Specify the web service standards used and the functionality exposed through the web
services, if the system supports the use of web service protocols such as SOAP.
e. Describe if the system can integrate with the existing registration information system via
outbound HL7 interface.
8. Critical Updates, Patches and Antivirus
a. Describe the process for approving and installing operating system Critical Updates.
Attach the Proposer policy regarding Microsoft Critical Updates.
b. Describe or attach the company Service Pack policy for the proposed solution.
c. Describe any issues that may occur when running Antivirus software in real-time on the
workstations.
d. Describe or attach the company policy regarding the use of anti-virus software with the
proposed system.
e. Describe the disclosure policies related to security vulnerabilities found in the system,
including procedures in place to notify customers of potential flaws, and the average time
between a flaw being discovered and corrective action taken.
9. Application Security Features
a. Describe the system’s compliance with LDAP (Lightweight Directory Access Protocol),
and how the system can be configured to authenticate users against it.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 8
b. Describe how the proposed solution can be configured to authenticate users against an
Active Directory 2003 tree, if possible.
c. Describe how the solution audits user access and privilege use and the information that is
logged.
d. Describe how the solution allows SMMC to configure minimum password difficulty
requirements, and password lockout policies.
e. Describe how the solution allows system administrators to set a password expiration
policy, thereby requiring end-users to change their passwords at a specified interval.
f. Describe how the solution encrypts sensitive information transmitted across the network
and internet, and specify the algorithms used.
g. Specify whether the system establishes user identity via:
i. A user ID and password; or
ii. Two-factor authentication, such as a smart-card and a PIN. If two-factor authentication
is available or used, Proposer must describe the hardware requirements, the
authentication process, and any supplies needed for ongoing implementation.
h. Describe how access privileges are configured in the system, and whether or not
privileges can be based on group designations.
i. Describe how different levels of security and privileges are established.
j. Specify if a “user inactivity timeout” feature is available that forces a user to re-
authenticate if idle for a preconfigured amount of time.
k. Describe how the system utilizes electronic signatures and electronic confirmation.
10. Security
Explain how the security and confidentiality of the system data collected and entered into the
system will be maintained.
11. Escrow
a. Explain your company’s ability to make available a software escrow account and include
the source code and all products released during the maintenance term, including third
party software. List the products that your company will hold in an escrow account and a
list of those products that cannot be held and explain why.
b. Explain in detail the process to retrieve the software source code.
c. Provide written evidence of ability to provide and maintain a Software Escrow account in
the form of a letter from an escrow agent or other acceptable third party.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 9
APPENDIX A2
TECHNICAL REQUIREMENTS RESPONSE FORM
FOR A SAAS SOLUTION
If proposing a SaaS solution, please complete and submit Appendix A2 with your proposal.
A. TECHNICAL REQUIREMENTS
1. Description of System
a. Provide a description of the proposed product, database, software and services, including
how the proposed system will meet or exceed the requirements stated in the entire RFP.
Include sufficient technical information about the application, operating environment and
performance data to enable SMMC to determine whether or not the proposed system
meets the technical environment prerequisites.
b. Identify/list all software required for the solution that is not supplied directly by the
Proposer (any/all third party software).
c. Provide an overview and/or benchmarks relating to the system’s ability to process
information in real time. Include the number of concurrent users as well as named users
the proposed system will accommodate and state the maximum number of recommended
users.
d. Identify any requirement to purchase interfaces from other vendors to work with the
proposed solution.
e. Define the scalability of the proposed system.
i. Can the system be purchased in modules and expanded?
ii. How scalable is the proposed software regarding the number of users?
iii. Does the system scale in parallel, i.e. can additional application servers be
configured in a load-balanced cluster?
iv. Can the database, application and data analysis components be configured to
reside on separate independent servers, so that one impacted subsystem does
not affect the overall solution?
f. Identify how many users are can access the proposed system. (Concurrent users).
g. Identify if the proposed software is COM (Component Object Model) compliant.
h. Identify if the proposed software is ODBC, OLE-DB or OLAP compliant. Identify any
drivers provided.
i. Describe licenses required for the software (concurrent / per seat and the number
associated).
j. Describe how the system protects database records being accessed by multiple users, so
that users cannot attempt to change a record at the same time.
k. Identify if the solution’s database is ACID (Atomicity, Consistency, Isolation and Durability)
compliant, and how it provides transaction rollback capability in the event of a failed
transaction.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 10
l. Define the requirements for a test system. Include all related components (hardware,
software, etc.) Include test system costs.
m. Describe the maximum number of database records that can be stored.
n. Define which third party reporting tools the proposed system is compatible with the
proposed system.
o. Describe the ability to test interfaces with the Hospital Information System (HIS).
p. Provide the data dictionary and schema with the system.
q. Describe the minimum monitor and screen resolution limit.
r. Describe the process for change management or customer notification.
s. Describe the current generally available (GA) version number and release date, including
how often new GA releases are made available.
t. Provide continuous application and system support 24 hours a day, 365 days per year.
Describe the process for requesting support during standard business hours and after
hours.
u. Provide the company escalation and response plan, and describe how issues are triaged
and escalated.
v. Provide the average response time of the proposed system, including the page/screen flip
time.
w. Describe the level of customization available without a programmer or vendor support.
x. Provide the location of the closest service representative.
y. Define the system uptime. Include planned downtime windows.
2. Equipment and Software
a. Provide detailed workstation hardware specifications, including but not limited to,
operating system, RAM, size of the hard drive, type of monitors, barcode devices,
scanning devices, barcode printing devices, etc.
b. Provide detailed hardware specifications for any customer-hosted components being
proposed.
c. Describe how the client software components are able to coexist with other software and
applications on end-user workstations.
d. Describe the proposed system architecture.
e. Describe hardware support and escalation process for any customer-hosted component.
f. Describe any customer required maintenance/support tasks, and any relevant
maintenance schedules.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 11
g. Describe the reporting software compatible with the proposed system. (Crystal Reports,
Excel, Access, etc.)
3. Backup/Recovery
a. Describe the backup capabilities for the proposed system, including:
i. Process for how backups are performed
ii. Process for Tenant-initiated backups
iii. Service availability guarantee
b. Describe in detail your company’s Disaster Recovery plan, including requirements for
zero-downtime.
c. Describe the notification provided if an application failure occurs.
d. Describe the process for automatic reprogramming and/or recovery after a failure due to
hardware, software or absence of power.
e. Describe the capabilities for periodically exporting data stored in the database, and if it
can be exported to MS Excel, MS Access or other software. Specify supported export
formats (i.e. Excel, CVS, etc.)
4. Network/Hardware
a. Proposer must meet the SMMC ISD technical requirements listed in section B 4,
“Technical Environment.”
b. Provide a system/network design diagram, which provides a visual summary of the
system’s servers, network and ancillary components and their relationships.
c. Describe any proprietary equipment utilized.
d. Describe any special networking requirements, i.e. dedicated/segregated network
segments. VLANs, etc.
e. Describe the average response time expected with the proposed system.
5. Storage
a. Explain how data is archived (e.g., on demand, automatically, via optical disk, etc.)
b. Describe how the system will store the data on non-proprietary media and in an industry-
standard format. Proposer should also specify the type of media used for long-term
storage and the format in which it is stored.
c. Describe the archival scheme for the system, including the recommended length of time
data is retained on the production system and the availability of data for reporting after
archival.
d. Describe the maximum size of the database and the largest currently operating production
and archive systems.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 12
e. Describe the long-term storage options available for the system.
f. Describe how the system will print information on demand. Proposer must specify any
special hardware or required printers necessary for printing.
g. Explain how the data is stored within the database, including if it can be stored in a
separate database for disparate customers and/or locations. Explain how data from
multiple tenants/customers is segregated and arranged.
h. Explain how the information can be retrieved from the archive.
i. Explain how long batches remain in the system.
6. Data Management
a. Describe the data management approach.
b. Explain if the data is stored in separate databases.
c. Discuss how databases are kept confidential and how data co-mingling/sharing is
prevented.
d. Provide a copy of the Service Level Agreement.
7. Integration
a. Define the system’s capability to support multiple browser types (i.e. Internet Explorer,
Mozilla Firefox, and Opera) on different platforms, and the minimum version of each
browser supported if the system supports web-based access.
b. Specify all browser plug-ins necessary to utilize web-based features.
c. Specify the web service standards used and the functionality exposed through the web
services, if the system supports the use of web service protocols such as SOAP.
d. Describe if the system can integrate with the existing Registration information system via
outbound HL7 interface.
e. Complete and submit the SaaS Security Assessment Checklist.
8. Critical Updates, Patches and Antivirus
a. Describe the process for approving and installing operating system Critical Updates.
Attach the Proposer policy regarding Microsoft Critical Updates.
b. Describe or attach the company Service Pack policy for the proposed solution.
c. Describe the Antivirus software used to protect data in real-time on the vendor’s servers.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 13
d. Describe any issues that may occur when running Antivirus software in real-time on the
workstations.
e. Describe or attach the company policy regarding the use of anti-virus software with the
proposed system.
f. Describe the disclosure policies related to security vulnerabilities found in the system,
including procedures in place to notify customers of potential flaws, and the average time
between a flaw being discovered and corrective action taken.
9. Application Security Features
a. Describe the system’s compliance with LDAP (Lightweight Directory Access Protocol),
and how the system can be configured to authenticate users against it.
b. Describe how the proposed solution can be configured to authenticate users against an
Active Directory 2003 tree, if possible.
c. Describe how the solution audits user access and privilege use and the information that is
logged.
d. Describe how the solution allows SMMC to configure minimum password difficulty
requirements, and password lockout policies.
e. Describe how the solution allows system administrators to set a password expiration
policy, thereby requiring end-users to change their passwords at a specified interval.
f. Describe how the solution encrypts sensitive information transmitted across the network
and internet, and specify the algorithms used.
g. Specify whether the system establishes user identity via:
i. A user ID and password; or
ii. Two-factor authentication, such as a smart-card and a PIN. If two-factor
authentication is available or used, Proposer must describe the hardware
requirements, the authentication process, and any supplies needed for
ongoing implementation.
h. Describe how access privileges are configured in the system, and whether or not
privileges can be based on group designations.
i. Describe how different levels of security and privileges are established.
j. Specify if a “user inactivity timeout” feature is available that forces a user to re-
authenticate if idle for a preconfigured amount of time.
k. Describe how the system utilizes electronic signatures and electronic confirmation.
10. Security
a. Describe network security features used to protect customer data/information (i.e.
firewalls, network segmentation, etc.)
Request for Proposal: Enterprise Clinical Information System Nov. 2010 14
b. Explain the type of physical security used to protect customer information in vendor data
centers and co-location facilities.
c. Explain the type of electronic security used (i.e. biometrics, authentication and
surveillance) at vendor and co-location facilities.
d. Explain how the security and confidentiality of the system data collected and entered into
the system will be maintained.
11. Escrow
a. Explain your company’s ability to make available a software escrow account and include
the source code and all products released during the maintenance term, including third
party software. List the products that your company will hold in an escrow account and a
list of those products that cannot be held and explain why.
b. Explain in detail the process to retrieve the software source code.
c. Provide written evidence of ability to provide and maintain a Software Escrow account in
the form of a letter from an escrow agent or other acceptable third party.
d. Explain in detail the build environment needed to support and/or compile the source code
in the Software Escrow Account.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 15
APPENDIX B
FUNCTIONALITY AND INTEGRATION RESPONSE FORM
The functionality and integration requirements of the RFP are listed in this section. Proposer, if
proposing more than one type of solution, please submit a Functionality and Integration form for each
solution.
Proposed solution (check one): Client Server: _______ SaaS: ______
Proposer Name: ______________________________________________
A. FUNCTIONALITY REQUIREMENTS
In addition to this section of functionality, see the attached Excel spreadsheet and respond to available
functionality questions in the tabs.
Response Code: Proposer should place the appropriate letter designation in the “Availability” column
according to the following codes and their description:
A. Specification is one that currently exists in the proposed software, in the current production
version and included in SMMC’s price. All costs must be reported on the cost response form.
B. Specification is not in the proposed software but is a planned enhancement or will be added
at no additional cost.
C. Specification is not part of the proposed software but will be added at additional cost included
in SMMC’s price. All such additional costs must be reported on an attachment to the cost
response form.
D. Specification is not available in the proposed software.
References: Please provide any additional information requested or any additional information useful to
the proposal in the comments column. If referencing attachments or other included information, write the
location (Section/Page Number) of the discussion of the specification in the Proposer’s proposal.
Technical materials may be submitted as part of the proposal, and should be clearly labeled as such. If
your availability response is “B” or “C”, please provide the estimated delivery date in the appropriate
column below.
Availability
Est.
Item Description Comments
Delivery
#
Date
General
Obtain a high level of integration between
1. component modules to minimize
redundant data
Facilitate user access to patient and
2. supportive information, and maximize
patient safety
Request for Proposal: Enterprise Clinical Information System Nov. 2010 16
Appendix B
Page 2 of 6
Input data that is easy, fast and intuitive,
3. and places an emphasis on user
friendliness
Complies with all relevant HIPAA
4.
regulations
Supports local, regional, and national
5.
vocabularies, updates and enhancements
Includes an integrated standard
6.
nomenclature of clinical terms
Can utilize ICD-9, ICD-10 and CPT4
7.
coding
8. Ability to collect demographic information
9. Ability to collect referring facility
10. Ability to collect referring provider
Ability to collect additional information
11.
related to the requested transfer
Ability to provide electronic
12. communication channels between
referring physician and SMMC
Ability to share information real-time with
13. transport, emergency department and
admitting office
Ability to provide work flow questions for
each specialty or department being
14. requested (i.e. a list of questions for a
neurology transfer and a separate list for
a surgery transfer)
Automated reminders of open calls
15.
needing attention
16. Customizable drop down menus
Patient history
Capture, store, display and report on
17.
patient history
Request for Proposal: Enterprise Clinical Information System Nov. 2010 17
Appendix B
Page 3 of 6
Capture, store, and report on history
collected from outside sources
18.
Report Generation
Formatting reports is flexible to allow for
19. different formats as needed (e.g. graphs,
summaries, details, etc.)
Generate reports regarding single or
20.
multiple patients
Report on statistics on number of transfer
21.
requests by department and acceptance
Ability to meet all reporting requirements
ensuring compliance with regulatory
22.
mandates such as Title 9, Title 22, CMS,
EMTALA
23. Generate hardcopy or electronic output
Interoperability
Ability to receive and transmit (interface)
24. to other information systems using
standards such as HL7
Ability to utilize different devices to enter
and retrieve data, such as, but not limited
25.
to:
 Laptops including wireless
 Handheld notebook computers
and tablets running Microsoft
26. Windows, Pocket PC,
Windows Mobile, Linux Mobile
operating systems
27.  iPods/iPads/iPhone
 Other SmartPhones that
include email and/or data
28.
storage such as BlackBerry,
Android-based, etc
Receive and store various clinical data
from multiple sources, such as:
29.
 Ambulatory EMR (eCW)
 Siemens Invision
Request for Proposal: Enterprise Clinical Information System Nov. 2010 18
Appendix B
Page 4 of 6
Receive and store patient demographics
30.
(ADT)
Ability to save and retrieve scanned
31.
documents
Data Quality
System provides the ability to ensure
clean data by providing the following:
32.
 Resolution of data type conflicts
 Resolution of naming and key
33. conflicts
 Removal, correction or flagging of
34. bad data
35.  Maintenance logs
Ability for the system to clean, purge and
36.
archive data
Security
Authorize administrators to assign
37.
restrictions or privileges to users/groups
Support user name and passwords for
38.
individual users.
39. Support use of strong passwords
Enforce a limit of consecutive invalid
40.
attempts by a user.
Identify all users who have accessed data
41. over a given time period, including data
and time of access (audit trails)
Ability to identify specific information as
42.
confidential.
Ability to provide confidential access
43. accessible by users with specific
confidential privileges/rights.
Retain data until purged, deleted,
44.
archived or deliberately removed
Provide a method for archiving and
45.
retrieving health record information
Request for Proposal: Enterprise Clinical Information System Nov. 2010 19
Appendix B
Page 5 of 6
Provide assurance that security policies
46.
are being followed or enforced.
Define and identify security relevant
events and the data to be collected and
47.
communicated as determined by policy
and/or regulation
Ability to allow authorized entities read-
only access to data according to agreed
upon uses and only as part of an
48.
identified audit, subject to appropriate
authentication, authorization and access
control functionality
Ability to access the system securely via
49.
the web (intranet / internet)
50. Ability to audit system
B. INTEGRATION REQUIREMENTS
PROPOSER NAME: ____________________________________________
ID QUESTION ANSWER / EXPLANATION
List the type of interfaces offered and classify them based
on the choices below:
a. Push model (vendor receives unsolicited messages,
e.g. ADT)
1.
b. Pull model (vendor sends unsolicited messages, e.g.
Charges)
c. Query/Response model (query is sent from vendor and
response is sent back)
Request for Proposal: Enterprise Clinical Information System Nov. 2010 20
Appendix B
Page 6 of 6
PROPOSER NAME: ____________________________________________
Is the HL7 (Version 2.x) standard supported? If so, which
2.
version?
If the HL7 (Version 2.x) standard is supported what events
3.
are accepted?
See Exhibit 1 and identify what interfaces are standard
4.
support.
5. What Interface Engine is used and/or supported?
What is the format or standard type of data transmitted on each connection type?
Interface # of
Format Connectivity Freq
Provided connections
(HL7, Version / Type (Real
(ADT,
Fixed, Variant (TCP/IP, Time,
Charge,
ASCII, etc.) SNA, etc.) Batch)
etc.)
6.
Comments:
Request for Proposal: Enterprise Clinical Information System Nov. 2010 21
APPENDIX C1
IMPLEMENTATION, PROJECT MANAGEMENT, TRAINING, AND ONGOING SUPPORT
FOR A CLIENT SERVER SOLUTION
If proposing a client server solution, please submit Appendix C1 in your proposal.
1. Project Implementation Plan and Project Management Team
a. Include the implementation plan the Proposer intends to employ for the project and an
explanation of how it will support the project requirements and logically lead to the required
deliverables. The description shall include the organization of the project team, including
accountability and lines of authority.
b. Describe services to be provided to ensure success of the project e.g. publicize the system to
employees, organizing support infrastructure and processes, consulting on content set up and
management etc.
c. Describe how the relationship between SMMC and Proposer will be managed from an account
and technical support perspective.
d. Describe what is required of SMMC to ensure the successful implementation of the system.
e. Include the steps that will be undertaken to identify and resolve any issues or problems before,
during and after the implementation.
f. Include a list of proposed project staff and key personnel.
g. Provide resumes, experience narratives and at least one reference for key personnel who will be
assigned to the project, if awarded the contract.
h. Explain the relationship of the project management team with the Proposer, including job title and
years of employment with the Proposer; role to be played in connection with the proposal;
relevant certifications and experience.
2. Statement of Work (SOW) - Training Plan
a. Include a description for training of both real time and batch responses for three different
audiences:
i. Power users/administrators, general users, content creators and instructors.
ii. Technical administrators of the proposed system.
iii. Technical operations staff and support staff for the proposed system.
b. Describe the type and quantity of training that will be provided for each audience. The description
must include:
i. The methods by which training will be provided e.g. online, on-site, webcast, self paced
online courses etc;
ii. A recommended training curriculum;
iii. Explain how the Proposer will work with SMMC to determine training needs and tailor the
curriculum;
Request for Proposal: Enterprise Clinical Information System Nov. 2010 22
iv. Explain the type of training that will be provided at what stage/phase of the project as well as
follow-up training after implementation;
v. Explain the ability to provide training at a County location.
c. Describe the training facility requirements for physical layout, communication needs (internet
connectivity, etc), projectors, # of computers, etc. that are needed to fulfill the proposed training
plan. Identify which elements of the training facility will be supplied by the Proposer.
3. SOW - Project Work Plan
Include a detailed work plan for the implementation and operation of the proposed system.
a. Task Level -The plan shall include all activities necessary for a successful project down to the
task level. No task can exceed more than eighty hours in the work plan.
b. Identify All Resources - The plan shall clearly identify all Proposer (including subcontractors)
and using agency resources required to successfully complete the project. Provide job
descriptions and the number of personnel to be assigned to tasks supporting implementation of
the project. Identify County resources needed for each task.
c. Deliverables – describe the deliverables of each task.
d. Time lines – describe the timeline of each task.
e. Acceptance criteria – describe the criteria used to determine completion of each task.
f. Plan Progress Charts - The plan shall include appropriate progress/Gantt charts that reflect the
proposed schedule and all major milestones. A sample project plan shall be submitted using
Microsoft Project.
4. System Documentation
a. Describe the documentation provided to facilitate system implementation.
b. Describe the System Administrator documentation provided.
c. Attach a listing summarizing available stock (“canned”) reports provided by the solution and a
sample of each.
d. Describe how system documentation is provided (online, hard copy etc) for the initial
implementation as well as future updates and releases.
5. Acceptance Test Plan
Include an acceptance test plan. The plan shall individually address each system component that
comprises of the proposed system, approach for load testing, and number of people to be involved in
testing. The plan should document the acceptance testing approach, resources and/or tools that may
be used to validate the functions and features of the proposed system. Include an example test plan
that is representative of the structure, content, and level of detail planned for this project.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 23
6. Risk Management
Submit a risk assessment using the methodology published by the Project Management Institute or
other comparable methodology. Include risk mitigation strategies as well as the resources the using
agency may utilize to reduce risk.
7. On-Going Service and Support
a. Describe the post implementation follow-up activities that will be provided by the Proposer,
specifically addressing the following tasks:
i. Post-live system debugging to bring application into full conformance with documentation,
proposal and modification specifications
ii. Six-month and 12-month post live operational (non-technical) audits to review SMMC
utilization of the software and to provide recommendations for optimizing benefits.
iii. Describe how application and support documentation is updated and distributed.
b. Provide the normal hours and describe the channels (phone, email, web, etc.) for support.
Describe how after hours support is provided. Describe the support and escalation process,
including response times.
c. Indicate the current version of the package. Indicate when the next major version of the package
will be available. For major software upgrades, describe how often upgrades are released, how
upgrades are defined, developed, tested and released, how customers are notified and educated
about the upgrade. Describe the decision process on how new features and functions get
included in the product.
d. Explain if the cost of upgrades is included in the annual hosting fee.
e. Explain if software upgrades, or other maintenance window, will impose a service disruption on
the system. If yes, discuss frequency and duration of the service disruptions.
f. Explain if there is a user group. If yes, explain how often they meet and where the meetings are
held. Include if the user group is a separate independent organization or funded and organized
by the Proposer.
8. Value Added Services (Optional)
Proposers are encouraged but not required to propose any optional value added services they
believe would help the using agency to effectively implement, operate or use the proposed system.
Information provided in this section must not exceed two (2) pages in length.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 24
APPENDIX C2
IMPLEMENTATION, PROJECT MANAGEMENT, TRAINING, AND ONGOING SUPPORT
FOR A SAAS SOLUTION
If proposing a SaaS solution, please submit Appendix C2 and Exhibit G in your proposal.
1. Project Implementation Plan and Project Management Team
a. Include the implementation plan the Proposer intends to employ for the project and an
explanation of how it will support the project requirements and logically lead to the required
deliverables. The description shall include the organization of the project team, including
accountability and lines of authority.
b. Describe services to be provided to ensure success of the project e.g. publicize the system to
employees, organizing support infrastructure and processes, consulting on content set up and
management etc.
c. Describe how the relationship between SMMC and Proposer will be managed from an account
and technical support perspective.
d. Describe what is required of SMMC to ensure the successful implementation of the system.
e. Include the steps that will be undertaken to identify and resolve any issues or problems before,
during and after the implementation.
f. Include a list of proposed project staff and key personnel.
g. Provide resumes, experience narratives and at least one reference for key personnel who will be
assigned to the project, if awarded the contract.
h. Explain the relationship of the project management team with the Proposer, including job title and
years of employment with the Proposer; role to be played in connection with the proposal;
relevant certifications and experience.
2. Statement of Work (SOW) - Training Plan
a. Include a description for training of both real time and batch responses for three different
audiences:
i. Power users/administrators, general users, content creators and instructors.
ii. Technical administrators of the proposed system.
iii. Technical operations staff and support staff for the proposed system.
b. Describe the type and quantity of training that will be provided for each audience. The description
must include:
i. The methods by which training will be provided e.g. online, on-site, webcast, self paced online
courses etc;
ii. A recommended training curriculum;
iii. Explain how the Proposer will work with SMMC to determine training needs and tailor the
curriculum;
iv. Explain the type of training that will be provided at what stage/phase of the project as well as
follow-up training after implementation;
Request for Proposal: Enterprise Clinical Information System Nov. 2010 25
v. Explain the ability to provide training at a County location.
c. Describe the training facility requirements for physical layout, communication needs (internet
connectivity, etc), projectors, # of computers, etc that are needed to fulfill the proposed training
plan. Identify which elements of the training facility will be supplied by the Proposer.
3. SOW - Project Work Plan
Include a detailed work plan for the implementation and operation of the proposed system.
a. Task Level -The plan shall include all activities necessary for a successful project down to the
task level. No task can exceed more than eighty hours in the work plan.
b. Identify All Resources - The plan shall clearly identify all Proposer (including subcontractors)
and using agency resources required to successfully complete the project. Provide job
descriptions and the number of personnel to be assigned to tasks supporting implementation of
the project. Identify County resources needed for each task.
c. Deliverables – describe the deliverables of each task.
d. Time lines – describe the timeline of each task.
e. Acceptance criteria – describe the criteria used to determine completion of each task.
f. Plan Progress Charts - The plan shall include appropriate progress/Gantt charts that reflect the
proposed schedule and all major milestones. A sample project plan shall be submitted using
Microsoft Project.
4. System Documentation
a. Describe the documentation provided to facilitate system implementation.
b. Describe the System Administrator documentation provided.
c. Attach a listing summarizing available stock (“canned”) reports provided by the solution and a
sample of each.
d. Describe how system documentation is provided (online, hard copy etc) for the initial
implementation as well as future updates and releases.
5. Acceptance Test Plan
Include an acceptance test plan. The plan shall individually address each system component that
comprises of the proposed system, approach for load testing, and number of people to be involved in
testing. The plan should document the acceptance testing approach, resources and/or tools that may
be used to validate the functions and features of the proposed system. Include an example test plan
that is representative of the structure, content, and level of detail planned for this project.
6. Risk Management
Submit a risk assessment using the methodology published by the Project Management Institute or
other comparable methodology. Include risk mitigation strategies as well as the resources the using
agency may utilize to reduce risk.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 26
7. On-Going Service and Support
a. Describe the post implementation follow-up activities that will be provided by the Proposer,
specifically addressing the following tasks:
i. Post-live system debugging to bring application into full conformance with documentation,
proposal and modification specifications
ii. Six-month and 12-month post live operational (non-technical) audits to review SMMC
utilization of the software and to provide recommendations for optimizing benefits.
iii. Describe how application and support documentation is updated and distributed.
b. Provide the normal hours and describe the channels (phone, email, web, etc.) for support.
Describe how after hours support is provided. Describe the support and escalation process,
including response times.
c. Indicate the current version of the package. Indicate when the next major version of the package
will be available. For major software upgrades, describe how often upgrades are released, how
upgrades are defined, developed, tested and released, how customers are notified and educated
about the upgrade. Describe the decision process on how new features and functions get
included in the product.
d. Explain if the cost of upgrades is included in the annual hosting fee.
e. Explain if software upgrades, or other maintenance window, will impose a service disruption on
the system. If yes, discuss frequency and duration of the service disruptions.
f. Explain if there is a user group. If yes, explain how often they meet and where the meetings are
held. Include if the user group is a separate independent organization or funded and organized
by the Proposer.
8. Value Added Services (Optional)
Proposers are encouraged but not required to propose any optional value added services they
believe would help the using agency to effectively implement, operate or use the proposed system.
Information provided in this section must not exceed two (2) pages in length.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 27
APPENDIX D
SaaS SECURITY ASSESSMENT CHECKLIST
Application Name: ______________________________________________Vendor Name: ___________________________________
ASP/SAAS SECURITY ASSESSMENT CHECKLIST
Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data that will be 1)
stored on the application server at the Vendor site, and 2) that will be transmitted between the application and the County. Also include
information on the user authentication process.
County
Policy Description of County Requirement Details on How Vendor Other Security
Ref. # Meets Requirement Measures That Mitigate Comments
This Risk
16.3.4 The Vendor has a written Disaster
Recovery Plan that offers a viable
approach to restoring operations following
an emergency situation.
16.3.4a The Vendor site has adequate, redundant
physical and/or logical network
connectivity to ensure continued
operations following a network failure.
16.3.4b The Vendor performs system/application
database backups on a schedule that is
consistent with the importance of the
application.
16.3.4b Backup media are treated with a level of
security commensurate with the
classification level of the data they contain.
16.3.4c Vendor servers are closely monitored for
both performance and availability.
16.3.4d The Vendor is willing to sign a Service
level Agreement (SLA) that is consistent
with the importance of the application to
SMMC.
16.3.5 The Vendor has a formal, written Security
Policy, and is willing to provide a copy of
this policy to SMMC on request.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 28
County Description of County Requirement Details on How Vendor Other Security
Policy Meets Requirement Measures That Mitigate Comments
Ref. # This Risk
16.3.5a If users access the application directly on
the Vendor server, user authentication
involves more than a simple User
ID/password combination, such as one-
time password technology.
16.3.5b Once granted access, Users are limited to
authorized activities only; i.e., customers
are prevented from accessing either
applications or data that belong to other
customers.
16.3.5c Vendor network connectivity is protected
by firewalls, intrusion detection/ prevention
systems, etc. designed to protect against
attack.
16.3.5d The equipment hosting the Department’s
application is located in a physically
secure facility that employs access control
measures, such as badges, card key
access, or keypad entry systems.
16.3.5d Vendor servers are kept in locked
areas/cages that limit access to authorized
personnel.
16.3.5e Vendor staff is bonded, and/or have been
subjected to background checks.
16.3.5f Vendor servers are hardened against
attack and operating system and security-
related software patches are applied
regularly.
16.3.5f Commercially available anti-virus software
is used on the servers, and is maintained
in a current state with all updates.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 29
16.3.5g Vendor servers are monitored on a
continuous basis, and logs are kept of all
activity.
16.3.5g, The Vendor is willing to report security
16.3.5h, breaches and/or security issues to SMMC.
16.3.5i
16.3.5h The Vendor conducts regular vulnerability
assessments, using viable third-party
organizations, designed to assess both the
Vendor’s network infrastructure and the
individual servers that host applications.
16.3.5h The Vendor implements “fixes” to correct
vulnerabilities discovered during security
audits.
16.3.5i The Vendor has a formal, written Incident
Response Plan.
N/A (Desirable) The network infrastructure
hosting the Department application is “air-
gapped” from any other network or
customer that the Vendor may have. This
means that in an ideal situation, the
application environment used by SMMC
uses a separate, dedicated server and a
separate network infrastructure.
N/A Identify the APIs that may be part of the
solution, and indicate industry standards or
best practices employed to ensure security
of the data and the integration (e.g., web
services, directory services, XML,
scripting, etc.)
N/A What application security standards, if any,
are followed? (e.g., OASIS, WC3, etc.).
Request for Proposal: Enterprise Clinical Information System Nov. 2010 30
County
Policy Description of County Requirement Details on How Vendor Other Security
Ref. # Meets Requirement Measures That Mitigate Comments
Risk
N/A If the application processes credit card
information, has the application been
certified as PCI compliant? Include
information on the level of compliance
(e.g., Merchant Level 2) and how the
application has been certified.
Policy Data “in motion,” including user
13.0, authentication information and credentials,
Encryption are encrypted.
Policy Data “at rest” (stored on the application
13.0, server), including user authentication
Encryption information and credentials, are encrypted.
Policy Encryption or hashing algorithms utilized
13.0, by the Vendor application infrastructure
Encryption use standard algorithms that have been
published, evaluated and accepted by the
general cryptographic community for the
kind of data it protects.
N/A The Vendor is willing to permit on-site
visits by County staff in order to evaluate
security measures in place.
N/A If the Vendor will be connecting to SMMC
via a private connection (such as a
dedicated T1 circuit), the Vendor agrees
that the circuit will terminate on the
county’s extranet, and operation of the
circuit will fall within the policies related to
network connections from non-County
entities.
Request for Proposal: Enterprise Clinical Information System Nov. 2010 31
County
Policy Description of County Requirement Details on How Other Security Measures
Ref. # Vendor Meets That Mitigate Risk Comments
Requirement
N/A If access to the application uses the
Internet, data traffic between the County
and the Vendor is protected through the
implementation of SSL-VPN or
equivalent technology.
Contractor Signature: ___________________________ County CIO’s Office Approval: ______________________
Print Name: ____________________________________ Title: ___________________________________________
Firm Name: ____________________________________ Date: _____________________
Date: __________________________________________
Request for Proposal: Enterprise Clinical Information System Nov. 2010 32
EXHIBIT 1
CURRENT SMMC INTERFACES
INTERFACE NAME DATA PATH DATA TYPE
7R7M->OPL->INVISION
7R7M_FMS PA CHARGES
ACHIEVE ADT INV->OPL->ACHIEVE ADT
DSG PAYMENTS DSG->OPL->INVISION PA CHARGES
DSS EXTRACTS DSS->OPL->SMMC PT/PA INFO
DSS_SMMC DSS->OPL->SMMC PA INFO
ECW_ADT_ERRORS ECW->OPL->FILE ADT ERRORS
ECW_INV ECW->OPL->INV ADT
ECW_INV_ORM ECW->OPL->INV ORDERS
ECW_LCR ECW->OPL->LCR RESULTS/PROGRESS NOTES
ER LOG INV->OPL->FILE ED PT ADT
FIRSTWATCH ADT INV->OPL->FILE FIRSTWATCH PT ADT
GRV3_CDEMS INV->OPL->CDEMS DB ADT
GRV3_HCLLBB INV->OPL->BLOODBANK ADT
GRV3_OLB26 INV->OPL->LAB ADT/ORDER
GRV3_PHM INV->OPL->PHARM ADT/ORDER
HCLLBB_ERROR IVN->OPL->FILE ADT ERRORS
HCLLBB_INV BLOODBANK->OPL->INV DFT
HCLLBB_OLB26 BLOODBANK->OPL->LAB RESULTS
INV_ECW INV->OPL->ECW ADT
INV_PES INV->OPL->FILE PES PT ADT
OLB26 PULSECHECK ECW->OPL->LCR RESULTS/PROGRESS NOTES
OLB26_CDEMS LAB->OPL->CDEMS DB RESULTS
OLB26_ECW_1 LAB->OPL->ECW1 RESULTS
OLB26_ECW_2 ECW1->OPL->ECW RESULTS
OLB26_HCLLBB LAB->OPL->BLOODBAK ORDERS
OLB26_INV LAB->OPL->INV DFT, ORDERS, OSU
OLB26_LCR LAB->OPL->LCR RESULTS
OLB26_PHM LAB->OPL->PHARM RESULTS
ERROR->OPL->ERROR
ERROR, ALERT
OPL_ERROR FILE
ORCH_ECW ORCHARD->OPL->ECW RESULTS
ORCHARD_LCR ORCHARD->OPL->LCR RESULTS
ORF INV->OPL->ORF ADT
PAYMENT POSTING FTP->OPL->INV PA CHARGES
PES LOG INV->OPL->FILE PES ADT
PHM_INV PHARM->OPL->INV RAS INF
POWERPATH CHARGES POWERPATH->OPL->INV CHARGES
POWERPATH GRV3 POWERPATH->OPL->INV ADT
POWERPATH->OPL-
POWERPATH RESULTS >LCR RESULTS
POWERPATH->OPL-
ERRORS
POWERPATH_ERROR >FILE
POWERSC_RAD26 POWERSC->OPL->RAD RESULTS
PSYCH NOTIFY INV->OPL->FILE PSYCH ADT
INV->OPL-
PULSECHECK ADT >PULSECHECK ADT
PULSECHECK->OPL-
>INV
PULSECHECK BILLING CHARGES
Request for Proposal: Enterprise Clinical Information System Nov. 2010 33
PULSECHECK->OPL-
PULSECHECK INV ORD >INV ORDERS
PULSECHECK->OPL-
PULSECHECK INV UPD >INV ADT
INV->OPL-
PULSECHECK ORDERS >PULSECHECK ORDERS
PULSECHECK->OPL-
PULSECHECK RESULTS >LCR RESULTS
PULSECHECK->OPL-
PULSECHECK_BCF_I1 >INV PA IP CHARGES
PULSECHECK->OPL-
PULSECHECK_BCF_I2 >INV PA IP CHARGES
PULSECHECK->OPL-
PULSECHECK_BCF_O1 >INV PA OP CHARGES
PULSECHECK->OPL-
PULSECHECK_BCF_O2 >INV PA OP CHARGES
PWP_INV_ICD9 POWERPATH->OPL->INV ICD9
QUADRAMED ADT INV->OPL->QUADRAMED ADT
RAD_ECW RAD->OPL->ECW RESULTS
RAD->OPL-
RAD26 PULSECHECK >PULSECHECK RESULTS
RAD26_POWERSC RAD->OPL->POWERSC ORDERS
RADIOLOGY ADT INV->OPL->RAD ORDERS, ADT, OSU
RADIOLOGY BILLING RAD->OPL->INV PA CHARGES
RADIOLOGY_CDEMS RAD->OPL->CDEMS DB RESULTS
RADIOLOGY_INV RAD->OPL->INV ORDERS, OSU
RADIOLOGY_LCR RAD->OPL->LCR RESULTS
RX_AOBF PHARM->OPL->INV PA CHARGES
SMMC_DSS SMMC->OPL->DSS PT/PA INFO
SOFTMED ADT INV->OPL->SOFTMED ADT
SOFTMED UPD SOFTMED->OPL->INV ADT
TRACKSTAR->OPL->INV
TRACKSTAR BILLING PA CHARGES
WEBMEDX_ADT INV->OPL->WEBMEDX ADT
WEBMEDX_RESULTS WEBMEDX->OPL->LCR RESULTS
WELL_COPAY WELL->OPL->INV PA CHARGES
ZIP_EAD ZIP->OPL->INV ADT
Request for Proposal: Enterprise Clinical Information System Nov. 2010 34